Edit tour

Windows Analysis Report
Arrival Notice.exe

Overview

General Information

Sample name:	Arrival Notice.exe
Analysis ID:	1577189
MD5:	c3f4606a2dee3f372af2108340951322
SHA1:	dad640bb0afeb3f348ef692fe271e7e0ca1eab45
SHA256:	7135dd0f5ab3268a874f61397f34be3d83a7e7b4620be22df6ce6fb1c2fffd7b
Tags:	exeuser-threatcat_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

Arrival Notice.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\Arrival Notice.exe" MD5: C3F4606A2DEE3F372AF2108340951322)

svchost.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\Arrival Notice.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["154.216.17.190:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-3W6OXK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.4156834032.0000000003430000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.4156781052.0000000003400000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
Process Memory Space: Arrival Notice.exe PID: 6860	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Arrival Notice.exe PID: 6860	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Arrival Notice.exe PID: 6860	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Arrival Notice.exe PID: 6860	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xab60b3:$a1: Remcos restarted by watchdog! 0xab6610:$a3: %02i:%02i:%02i:%03i 0xab69c8:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 6992	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 6992	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 6992	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 6992	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1595a:$a1: Remcos restarted by watchdog! 0x15eb7:$a3: %02i:%02i:%02i:%03i 0x1626f:$a3: %02i:%02i:%02i:%03i
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Arrival Notice.exe.4190000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.Arrival Notice.exe.4190000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Arrival Notice.exe.4190000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Arrival Notice.exe.4190000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ef8:$a1: Remcos restarted by watchdog! 0x6a470:$a3: %02i:%02i:%02i:%03i
0.2.Arrival Notice.exe.4190000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6503c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65004:$str_b13: StartForward 0x65024:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
0.2.Arrival Notice.exe.4190000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc70:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
1.2.svchost.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.svchost.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.svchost.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
1.2.svchost.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
1.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
1.2.svchost.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
1.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
0.2.Arrival Notice.exe.4190000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.Arrival Notice.exe.4190000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Arrival Notice.exe.4190000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Arrival Notice.exe.4190000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
0.2.Arrival Notice.exe.4190000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
0.2.Arrival Notice.exe.4190000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Arrival Notice.exe", CommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", ParentImage: C:\Users\user\Desktop\Arrival Notice.exe, ParentProcessId: 6860, ParentProcessName: Arrival Notice.exe, ProcessCommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", ProcessId: 6992, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Arrival Notice.exe", CommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", ParentImage: C:\Users\user\Desktop\Arrival Notice.exe, ParentProcessId: 6860, ParentProcessName: Arrival Notice.exe, ProcessCommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", ProcessId: 6992, ProcessName: svchost.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: C4 22 9D 66 F0 F9 3A 05 E3 75 48 75 45 FC 4C A0 D5 36 0D C1 D9 20 23 7B 59 74 CD 0A 4F F1 61 3C CE F8 6C E0 15 00 7A 14 95 03 62 70 58 45 C6 07 92 FC 50 36 06 E4 A8 F3 51 19 61 A3 A2 DD D3 12 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-3W6OXK\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T09:03:06.249721+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49730	154.216.17.190	2404	TCP
2024-12-18T09:03:09.603113+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49731	154.216.17.190	2404	TCP
2024-12-18T09:03:12.985262+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49732	154.216.17.190	2404	TCP
2024-12-18T09:03:16.328989+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49733	154.216.17.190	2404	TCP
2024-12-18T09:03:19.673510+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49735	154.216.17.190	2404	TCP
2024-12-18T09:03:23.016739+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49738	154.216.17.190	2404	TCP
2024-12-18T09:03:26.361725+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49741	154.216.17.190	2404	TCP
2024-12-18T09:03:29.704799+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49743	154.216.17.190	2404	TCP
2024-12-18T09:03:33.066100+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49744	154.216.17.190	2404	TCP
2024-12-18T09:03:36.424355+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49745	154.216.17.190	2404	TCP
2024-12-18T09:03:39.768655+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49746	154.216.17.190	2404	TCP
2024-12-18T09:03:43.111896+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49747	154.216.17.190	2404	TCP
2024-12-18T09:03:46.455031+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49748	154.216.17.190	2404	TCP
2024-12-18T09:03:49.831061+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49749	154.216.17.190	2404	TCP
2024-12-18T09:03:53.205392+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49750	154.216.17.190	2404	TCP
2024-12-18T09:03:56.550346+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49751	154.216.17.190	2404	TCP
2024-12-18T09:03:59.893159+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49753	154.216.17.190	2404	TCP
2024-12-18T09:04:03.255242+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49760	154.216.17.190	2404	TCP
2024-12-18T09:04:06.614291+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49771	154.216.17.190	2404	TCP
2024-12-18T09:04:09.954296+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49777	154.216.17.190	2404	TCP
2024-12-18T09:04:13.298205+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49788	154.216.17.190	2404	TCP
2024-12-18T09:04:16.643223+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49794	154.216.17.190	2404	TCP
2024-12-18T09:04:19.989594+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49805	154.216.17.190	2404	TCP
2024-12-18T09:04:23.330493+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49812	154.216.17.190	2404	TCP
2024-12-18T09:04:26.673679+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49822	154.216.17.190	2404	TCP
2024-12-18T09:04:30.017358+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49831	154.216.17.190	2404	TCP
2024-12-18T09:04:33.363214+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49837	154.216.17.190	2404	TCP
2024-12-18T09:04:36.706662+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49847	154.216.17.190	2404	TCP
2024-12-18T09:04:40.050468+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49854	154.216.17.190	2404	TCP
2024-12-18T09:04:43.393261+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49864	154.216.17.190	2404	TCP
2024-12-18T09:04:46.823022+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49870	154.216.17.190	2404	TCP
2024-12-18T09:04:50.174672+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49881	154.216.17.190	2404	TCP
2024-12-18T09:04:53.518760+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49888	154.216.17.190	2404	TCP
2024-12-18T09:04:57.183312+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49898	154.216.17.190	2404	TCP
2024-12-18T09:05:00.472007+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49904	154.216.17.190	2404	TCP
2024-12-18T09:05:03.722996+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49915	154.216.17.190	2404	TCP
2024-12-18T09:05:06.940711+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49921	154.216.17.190	2404	TCP
2024-12-18T09:05:10.129601+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49931	154.216.17.190	2404	TCP
2024-12-18T09:05:13.397288+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49937	154.216.17.190	2404	TCP
2024-12-18T09:05:16.534065+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49946	154.216.17.190	2404	TCP
2024-12-18T09:05:19.644151+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49954	154.216.17.190	2404	TCP
2024-12-18T09:05:22.738070+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49962	154.216.17.190	2404	TCP
2024-12-18T09:05:25.815348+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49971	154.216.17.190	2404	TCP
2024-12-18T09:05:28.847510+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49977	154.216.17.190	2404	TCP
2024-12-18T09:05:31.879986+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49986	154.216.17.190	2404	TCP
2024-12-18T09:05:34.895362+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49994	154.216.17.190	2404	TCP
2024-12-18T09:05:37.915402+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50002	154.216.17.190	2404	TCP
2024-12-18T09:05:40.881000+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50011	154.216.17.190	2404	TCP
2024-12-18T09:05:43.817589+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50016	154.216.17.190	2404	TCP
2024-12-18T09:05:46.801930+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50026	154.216.17.190	2404	TCP
2024-12-18T09:05:49.695373+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50033	154.216.17.190	2404	TCP
2024-12-18T09:05:52.566689+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50039	154.216.17.190	2404	TCP
2024-12-18T09:05:55.427332+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50048	154.216.17.190	2404	TCP
2024-12-18T09:05:58.270101+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50056	154.216.17.190	2404	TCP
2024-12-18T09:06:01.101367+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50058	154.216.17.190	2404	TCP
2024-12-18T09:06:03.927758+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50059	154.216.17.190	2404	TCP
2024-12-18T09:06:06.723646+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50060	154.216.17.190	2404	TCP
2024-12-18T09:06:09.506254+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50061	154.216.17.190	2404	TCP
2024-12-18T09:06:12.301465+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50062	154.216.17.190	2404	TCP
2024-12-18T09:06:15.055429+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50063	154.216.17.190	2404	TCP
2024-12-18T09:06:17.787471+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50064	154.216.17.190	2404	TCP
2024-12-18T09:06:20.504996+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50065	154.216.17.190	2404	TCP
2024-12-18T09:06:23.227526+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50066	154.216.17.190	2404	TCP
2024-12-18T09:06:25.929624+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50067	154.216.17.190	2404	TCP
2024-12-18T09:06:28.627379+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50068	154.216.17.190	2404	TCP
2024-12-18T09:06:31.303427+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50069	154.216.17.190	2404	TCP
2024-12-18T09:06:33.975404+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50070	154.216.17.190	2404	TCP
2024-12-18T09:06:36.646573+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50071	154.216.17.190	2404	TCP
2024-12-18T09:06:39.286782+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50072	154.216.17.190	2404	TCP
2024-12-18T09:06:41.925964+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50073	154.216.17.190	2404	TCP
2024-12-18T09:06:44.553512+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50074	154.216.17.190	2404	TCP
2024-12-18T09:06:47.177135+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50075	154.216.17.190	2404	TCP
2024-12-18T09:06:49.785710+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50076	154.216.17.190	2404	TCP
2024-12-18T09:06:52.383534+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50077	154.216.17.190	2404	TCP
2024-12-18T09:06:54.975092+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50078	154.216.17.190	2404	TCP
2024-12-18T09:06:57.573946+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50079	154.216.17.190	2404	TCP
2024-12-18T09:07:00.145830+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50080	154.216.17.190	2404	TCP
2024-12-18T09:07:02.714328+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50081	154.216.17.190	2404	TCP
2024-12-18T09:07:05.271575+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50082	154.216.17.190	2404	TCP
2024-12-18T09:07:07.818849+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50083	154.216.17.190	2404	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Arrival Notice.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.4156781052.0000000003400000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["154.216.17.190:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-3W6OXK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for submitted file

Source: Arrival Notice.exe	Virustotal: Detection: 31%			Perma Link
Source: Arrival Notice.exe	ReversingLabs: Detection: 55%

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Arrival Notice.exe.4190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice.exe.4190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4156834032.0000000003430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156781052.0000000003400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Arrival Notice.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6992, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Arrival Notice.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

1_2_0043293A

Source: Arrival Notice.exe, 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_ce075aec-7

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.Arrival Notice.exe.4190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice.exe.4190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Arrival Notice.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6992, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00406764 _wcslen,CoGetObject,

1_2_00406764

Source: Arrival Notice.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: Arrival Notice.exe, 00000000.00000003.1722018408.0000000004210000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice.exe, 00000000.00000003.1722152891.00000000043B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Arrival Notice.exe, 00000000.00000003.1722018408.0000000004210000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice.exe, 00000000.00000003.1722152891.00000000043B0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00EDDBBE
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE68EE FindFirstFileW,FindClose,	0_2_00EE68EE
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00EE698F
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EDD076
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EDD3A9
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EE9642
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EE979D
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00EE9B2B
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00EE5C97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_0040B335
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	1_2_0041B42F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_0040B53A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	1_2_004089A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00406AC2 FindFirstFileW,FindNextFileW,	1_2_00406AC2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	1_2_00407A8C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	1_2_00418C69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	1_2_00408DA7

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

1_2_00406F06

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49732 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49731 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49730 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49738 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49733 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49741 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49735 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49745 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49746 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49751 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49744 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49748 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49788 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49794 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49805 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49749 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49750 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49831 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49837 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49777 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49847 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49747 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49812 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49870 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49881 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49753 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49822 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49854 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49760 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49864 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49888 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49771 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49743 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49898 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49915 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49904 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49921 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49937 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49946 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49971 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49977 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49986 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49954 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49994 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50002 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49962 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50033 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50016 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50039 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50026 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50059 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50056 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50048 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50058 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50067 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50064 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50062 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50066 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50069 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50072 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50073 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50074 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50082 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50065 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50081 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50071 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50083 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50068 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50079 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50070 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50063 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50075 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50078 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50080 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50061 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50011 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50076 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50077 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50060 -> 154.216.17.190:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49931 -> 154.216.17.190:2404

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 154.216.17.190 2404

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 154.216.17.190

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 154.216.17.190:2404

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.190

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00EECE44

Source: svchost.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: Arrival Notice.exe, 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

1_2_004099E4

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EEEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00EEEAFF

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EEED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00EEED6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,		1_2_004159C6

Source: C:\Users\user\Desktop\Arrival Notice.exe

0_2_00EEEAFF

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EDAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00EDAA57

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00F09576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F09576

Source: Yara match	File source: 0.2.Arrival Notice.exe.4190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice.exe.4190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Arrival Notice.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6992, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Arrival Notice.exe.4190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice.exe.4190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4156834032.0000000003430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156781052.0000000003400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Arrival Notice.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6992, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041BB71 SystemParametersInfoW,		1_2_0041BB71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041BB77 SystemParametersInfoW,		1_2_0041BB77

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Arrival Notice.exe.4190000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Arrival Notice.exe.4190000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Arrival Notice.exe.4190000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Arrival Notice.exe.4190000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Arrival Notice.exe.4190000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Arrival Notice.exe.4190000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: Arrival Notice.exe PID: 6860, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 6992, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Arrival Notice.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Arrival Notice.exe, 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_84192ade-3
Source: Arrival Notice.exe, 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_50aebc88-a
Source: Arrival Notice.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_463c2c40-8
Source: Arrival Notice.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_97199a36-7

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Arrival Notice.exe

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EDD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00EDD5EB

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00ED1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00ED1201

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EDE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00EDE8F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,		1_2_004158B9

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E78060	0_2_00E78060
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE2046	0_2_00EE2046
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00ED8298	0_2_00ED8298
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EAE4FF	0_2_00EAE4FF
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EA676B	0_2_00EA676B
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00F04873	0_2_00F04873
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E7CAF0	0_2_00E7CAF0
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E9CAA0	0_2_00E9CAA0
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E8CC39	0_2_00E8CC39
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EA6DD9	0_2_00EA6DD9
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E8D063	0_2_00E8D063
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E791C0	0_2_00E791C0
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E8B119	0_2_00E8B119
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E91394	0_2_00E91394
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E91706	0_2_00E91706
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E9781B	0_2_00E9781B
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E919B0	0_2_00E919B0
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E8997D	0_2_00E8997D
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E77920	0_2_00E77920
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E97A4A	0_2_00E97A4A
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E97CA7	0_2_00E97CA7
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E91C77	0_2_00E91C77
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EA9EEE	0_2_00EA9EEE
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EFBE44	0_2_00EFBE44
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E91F32	0_2_00E91F32
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_01964248	0_2_01964248
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041D071	1_2_0041D071
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004520D2	1_2_004520D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043D098	1_2_0043D098
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00437150	1_2_00437150
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004361AA	1_2_004361AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00426254	1_2_00426254
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00431377	1_2_00431377
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043651C	1_2_0043651C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041E5DF	1_2_0041E5DF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0044C739	1_2_0044C739
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004367C6	1_2_004367C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004267CB	1_2_004267CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043C9DD	1_2_0043C9DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00432A49	1_2_00432A49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00436A8D	1_2_00436A8D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043CC0C	1_2_0043CC0C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00436D48	1_2_00436D48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00434D22	1_2_00434D22
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00426E73	1_2_00426E73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00440E20	1_2_00440E20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043CE3B	1_2_0043CE3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00412F45	1_2_00412F45
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00452F00	1_2_00452F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00426FAD	1_2_00426FAD

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004020E7 appears 41 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004338A5 appears 41 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00433FB0 appears 55 times
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: String function: 00E90A30 appears 46 times
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: String function: 00E8F9F2 appears 31 times

Source: Arrival Notice.exe, 00000000.00000003.1722018408.0000000004333000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Arrival Notice.exe
Source: Arrival Notice.exe, 00000000.00000003.1722591808.00000000044DD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Arrival Notice.exe

Source: Arrival Notice.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.Arrival Notice.exe.4190000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Arrival Notice.exe.4190000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Arrival Notice.exe.4190000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Arrival Notice.exe.4190000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Arrival Notice.exe.4190000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Arrival Notice.exe.4190000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: Arrival Notice.exe PID: 6860, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 6992, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/2@0/1

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EE37B5 GetLastError,FormatMessageW,

0_2_00EE37B5

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00ED10BF AdjustTokenPrivileges,CloseHandle,	0_2_00ED10BF
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00ED16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00ED16C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	1_2_00416AB7

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EE51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00EE51CD

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EFA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00EFA67C

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EE648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00EE648E

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00E742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E742A2

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00419BC4

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-3W6OXK

Source: C:\Users\user\Desktop\Arrival Notice.exe

File created: C:\Users\user\AppData\Local\Temp\autF9A7.tmp

Jump to behavior

Source: Arrival Notice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Arrival Notice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Arrival Notice.exe	Virustotal: Detection: 31%
Source: Arrival Notice.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\Arrival Notice.exe "C:\Users\user\Desktop\Arrival Notice.exe"
Source: C:\Users\user\Desktop\Arrival Notice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Arrival Notice.exe"
Source: C:\Users\user\Desktop\Arrival Notice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Arrival Notice.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: Arrival Notice.exe

Static file information: File size 1407488 > 1048576

Source: Arrival Notice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Arrival Notice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Arrival Notice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Arrival Notice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Arrival Notice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Arrival Notice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Arrival Notice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Arrival Notice.exe, 00000000.00000003.1722018408.0000000004210000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice.exe, 00000000.00000003.1722152891.00000000043B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Arrival Notice.exe, 00000000.00000003.1722018408.0000000004210000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice.exe, 00000000.00000003.1722152891.00000000043B0000.00000004.00001000.00020000.00000000.sdmp

Source: Arrival Notice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Arrival Notice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Arrival Notice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Arrival Notice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Arrival Notice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00E742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E742DE

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E90A76 push ecx; ret	0_2_00E90A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004567E0 push eax; ret	1_2_004567FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045B9DD push esi; ret	1_2_0045B9E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00455EAF push ecx; ret	1_2_00455EC2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00433FF6 push ecx; ret	1_2_00434009

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00406128 ShellExecuteW,URLDownloadToFileW,

1_2_00406128

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00419BC4

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E8F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E8F98E
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00F01C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F01C41

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

1_2_0041BCE3

Source: C:\Users\user\Desktop\Arrival Notice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0040E54F Sleep,ExitProcess,

1_2_0040E54F

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Arrival Notice.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96186

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Arrival Notice.exe

API/Special instruction interceptor: Address: 1963E6C

Source: C:\Windows\SysWOW64\svchost.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

1_2_004198C2

Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 4769			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 5181			Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe	API coverage: 3.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 8.8 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 3808	Thread sleep count: 4769 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3808	Thread sleep time: -14307000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3808	Thread sleep count: 5181 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3808	Thread sleep time: -15543000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00EDDBBE
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE68EE FindFirstFileW,FindClose,	0_2_00EE68EE
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00EE698F
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EDD076
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EDD3A9
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EE9642
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EE979D
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00EE9B2B
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00EE5C97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_0040B335
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	1_2_0041B42F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_0040B53A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	1_2_004089A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00406AC2 FindFirstFileW,FindNextFileW,	1_2_00406AC2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	1_2_00407A8C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	1_2_00418C69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	1_2_00408DA7

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

1_2_00406F06

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00E742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E742DE

Source: svchost.exe, 00000001.00000002.4156805230.0000000003412000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF

Source: C:\Windows\SysWOW64\svchost.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EEEAA2 BlockInput,

0_2_00EEEAA2

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EA2622

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00E742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E742DE

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E94CE8 mov eax, dword ptr fs:[00000030h]	0_2_00E94CE8
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_01964138 mov eax, dword ptr fs:[00000030h]	0_2_01964138
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_019640D8 mov eax, dword ptr fs:[00000030h]	0_2_019640D8
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_01962AB8 mov eax, dword ptr fs:[00000030h]	0_2_01962AB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00442554 mov eax, dword ptr fs:[00000030h]	1_2_00442554

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00ED0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00ED0B62

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EA2622
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E9083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E9083F
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E909D5 SetUnhandledExceptionFilter,	0_2_00E909D5
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00E90C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E90C21
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00434168
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0043A65D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00433B44
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00433CD7 SetUnhandledExceptionFilter,	1_2_00433CD7

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 154.216.17.190 2404

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Arrival Notice.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Arrival Notice.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EC4008

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

1_2_00410F36

Source: C:\Users\user\Desktop\Arrival Notice.exe

0_2_00ED1201

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EB2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EB2BA5

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EDB226 SendInput,keybd_event,

0_2_00EDB226

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EF22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00EF22DA

Source: C:\Users\user\Desktop\Arrival Notice.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Arrival Notice.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe

0_2_00ED0B62

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00ED1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00ED1663

Source: Arrival Notice.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Arrival Notice.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00E90698 cpuid

0_2_00E90698

Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	1_2_004470AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	1_2_004510BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_004511E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	1_2_004512EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_004513B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	1_2_00447597
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	1_2_0040E679
Source: C:\Windows\SysWOW64\svchost.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00450A7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	1_2_00450CF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	1_2_00450D42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	1_2_00450DDD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00450E6A

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EE8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00EE8195

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00ECD27A GetUserNameW,

0_2_00ECD27A

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00EABB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00EABB6F

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00E742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E742DE

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Arrival Notice.exe.4190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice.exe.4190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4156834032.0000000003430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156781052.0000000003400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Arrival Notice.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6992, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\svchost.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

1_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		1_2_0040B335
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \key3.db		1_2_0040B335

Source: Arrival Notice.exe	Binary or memory string: WIN_81
Source: Arrival Notice.exe	Binary or memory string: WIN_XP
Source: Arrival Notice.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Arrival Notice.exe	Binary or memory string: WIN_XPe
Source: Arrival Notice.exe	Binary or memory string: WIN_VISTA
Source: Arrival Notice.exe	Binary or memory string: WIN_7
Source: Arrival Notice.exe	Binary or memory string: WIN_8

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\svchost.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-3W6OXK

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Arrival Notice.exe.4190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice.exe.4190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4156834032.0000000003430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156781052.0000000003400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Arrival Notice.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6992, type: MEMORYSTR

Source: C:\Windows\SysWOW64\svchost.exe

Code function: cmd.exe

1_2_00405042

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EF1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00EF1204
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00EF1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00EF1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	121 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Windows Service	1 Bypass User Account Control	2 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Bypass User Account Control	LSA Secrets	126 System Information Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Windows Service	2 Valid Accounts	Cached Domain Credentials	221 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	322 Process Injection	11 Virtualization/Sandbox Evasion	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	322 Process Injection	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Arrival Notice.exe	31%	Virustotal		Browse
Arrival Notice.exe	55%	ReversingLabs	Win32.Trojan.AutoitInject
Arrival Notice.exe	100%	Avira	HEUR/AGEN.1319493
Arrival Notice.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	svchost.exe	false		high
http://geoplugin.net/json.gp/C	Arrival Notice.exe, 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.216.17.190	unknown	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577189
Start date and time:	2024-12-18 09:02:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Arrival Notice.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@3/2@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 46 Number of non-executed functions: 305
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
03:03:39	API Interceptor	3852636x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
154.216.17.190	Arrival Notice.vbs	Get hash	malicious	Remcos, GuLoader	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	jew.ppc.elf	Get hash	malicious	Unknown	Browse	156.230.19.169
	http://kmaybelsrka.sbs:6793/bab.zip	Get hash	malicious	Unknown	Browse	154.216.17.175
	https://garfieldthecat.tech/Receipt.html	Get hash	malicious	WinSearchAbuse	Browse	154.216.17.175
	Sublabially.vbs	Get hash	malicious	Remcos, GuLoader	Browse	154.216.18.216
	ZppxPm0ASs.exe	Get hash	malicious	Xmrig	Browse	154.216.20.243
	RUN.VBS.vbs	Get hash	malicious	Unknown	Browse	154.216.18.89
	arm4.elf	Get hash	malicious	Mirai	Browse	156.230.19.168
	h.html	Get hash	malicious	Unknown	Browse	154.216.18.69
	invoice.html	Get hash	malicious	Unknown	Browse	154.216.18.89
	Arrival Notice.vbs	Get hash	malicious	Remcos, GuLoader	Browse	154.216.17.190

Process:	C:\Users\user\Desktop\Arrival Notice.exe
File Type:	data
Category:	dropped
Size (bytes):	428882
Entropy (8bit):	7.987033324803843
Encrypted:	false
SSDEEP:	12288:8UPuKDvOhrPzca4KlGN0zYzb3mpSXhJlvmM:PuqmhrlTki8G6/dP
MD5:	58AD3B46649FA41D6640CAB6E04F3DF7
SHA1:	64BB5007113AFF1362EC3F98407D7E24A7DC0CFD
SHA-256:	40CE510CA7A4B3B789C0F27DDEFDDBBB83B95D5D9F2C5974FCCC0D8407F15E84
SHA-512:	364CE5243D8455BF54D91B02798400CE929C3898EF13489B041473AFAB56DD6A19DDAFA7B3913AE6D3093E533D822CB6AEA9AE5977328593D4188275E4E9581A
Malicious:	false
Reputation:	low
Preview:	EA06........Z.Bi3..(..v..N.S...m".E...Jx..Q...@.\.@.~...H......u....1..5\...3..E7..b..t.S_..d....[_..d.X.f...H$.(.r.L..gsl..1.....x.h..on....P.......N........F..y.l..o.....q...n.q.p..._v..P\|..q..=....}.o...~..{....F..o.n0w....d..}7.V.f......91.I~.....KP....x..f2n.D...F.G..h.....I.......R........M. ..E.Tj.jx..M.....L5...S...-..@.L..'m..N..~b....6.eN.....-......\|.......(9..:....i.4...T...............Xf.D..T..k..m`.T.U@.p.U.-..0.PerY.D.T..@?1.U........../.J..\.Oa...~cM...j....q..16...EW..=w..R]3.V/..&..Q.C...m.w ..fs@..... ...N...!.Jth.........u..M.@itZ..?_.Q5...Z.......U#C.U...4..G.J..Zu.....!..l.P.V.....s0.Sf.\|.n...[h.hN_Gr...p.&..9.V+8I$2...^&.8..[0.{op...)...$:YLN.....{NK.~.\......I...QY.n.l.L!.o.z...vhTzM.[..\fzz%.gQ.ad.O....&Sn..g4.M..$....L.r*3J..R.&a. .u7.I.@..tr.D....6..i..b.......w0..%..M.@...U.eM...L^i..R.....W..i..ju"!...8Hd"..._..i5.G...g..5.......:?b}[.S........?..f....".]t.6..E....z.........Mu.V&2Yl..E.X.s.\|w....`4..v.1..$

C:\Users\user\AppData\Local\Temp\fondaco

Download File

Process:	C:\Users\user\Desktop\Arrival Notice.exe
File Type:	data
Category:	dropped
Size (bytes):	493056
Entropy (8bit):	7.660591572366248
Encrypted:	false
SSDEEP:	6144:jHwCtEKIy1dHtX7z5MBxwJA97lRj+0tiCYFs7Vg+4DPUi7VUu5WvUXbXmE9uS+Df:jFcC5Mr9xZ33YFsgsiE6CEovKE7
MD5:	32B92375643B96D695C4C103D45DB3EA
SHA1:	3E89EB2AA38A23F6B1EEAF34ED46DC7E172F2922
SHA-256:	B444097086CD8BC667D10CEED8EAA7CE1DE8E2B07F7A8DCBDB42083FB9963024
SHA-512:	1FEDE8749F6ED6DDE7AB2437F1141A4E39C077F93C4B941C08AE3E6FDE0C0A0A8D06BB22D6F4C91353DC491F08C56154CD9CFDFC91A9209B71FB3D29D0C6AD55
Malicious:	false
Reputation:	low
Preview:	...EUP43KDG0..FN.NX1MHIE.VP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NP0MHGZ.XP.:.e.1..g.\'+.=:&"77=.P.*)_%u$+.<-_m!'e....^ ".\XLj4NX1MHI.l..{...x.....T.e.....\...W..Y.e.....y......i.Y......n.......v......q...\|...}.......{...y..Uo.y..Zdc..\|.Wf......1R%....VP43ODG0..FNxO]1&.m"EVP43ODG.QWGE5@H1-MIEgTP43OD}.RUF^4NXAHHIE.VP$3ODE0QPFO4NX1MMIDEVP43O.@0QQFN4NX1OHI.EV@43_DG0QEFN$NX1MHIUEVP43ODG0QUf.2N\0MHI%BV.~3ODG0QUFN4NX1MHIEEV.33..G0A.@N.NX1MHIEEVP43ODG0QUF..HX)MHI..PPt3ODG0QUFN4NXAHH.AEVP43ODG0QUFN4NX1MHIEEVP43a0"H%UFN).]1MXIEE6U43KDG0QUFN4NX1MHIeEV0.A+%3QQUF.5NXAHHI.DVPP6ODG0QUFN4NX1M.IE.x4UG.DG0=.FN4N_1MFIEE.V43ODG0QUFN4NXqMH.k7%"W3OD.zQUF.3NX}MHI.CVP43ODG0QUFN4.X1.f; )9343..G0Q.AN4rX1M.NEEVP43ODG0QUF.4N.1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0QUFN4NX1MHIEEVP43ODG0Q

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.283257995372125
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Arrival Notice.exe
File size:	1'407'488 bytes
MD5:	c3f4606a2dee3f372af2108340951322
SHA1:	dad640bb0afeb3f348ef692fe271e7e0ca1eab45
SHA256:	7135dd0f5ab3268a874f61397f34be3d83a7e7b4620be22df6ce6fb1c2fffd7b
SHA512:	6a3d74cbf3697835a2280fe58f815fe7de6d5f23f39290c23a98b63bd8305a602af166598413a1ec2af68a6e30bc8b157f1d7a8fcb9489f1138a95a8c66ee5ba
SSDEEP:	24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aQmBghvjtOSI7JEGr/m:4TvC/MTQYxsWR7aQIgfOn
TLSH:	8155D00273C1C062FFAB92334B5AF6515BBC69660123E51F03A81DBABD705B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x676206BA [Tue Dec 17 23:18:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F00315A4253h
jmp 00007F00315A3B5Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F00315A3D3Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F00315A3D0Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F00315A68FDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F00315A6948h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F00315A6931h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x80e60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x155000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x80e60	0x81000	34fc3f9d39db12a77439f46edc68473a	False	0.9502255935077519	data	7.9414521569157595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x155000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xd9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xda148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xda6dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc410	0x784f7	data			1.0003267105121645
RT_GROUP_ICON	0x154908	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x154980	0x14	data	English	Great Britain	1.15
RT_VERSION	0x154994	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x154a70	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T09:03:06.249721+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49730	154.216.17.190	2404	TCP
2024-12-18T09:03:09.603113+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49731	154.216.17.190	2404	TCP
2024-12-18T09:03:12.985262+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49732	154.216.17.190	2404	TCP
2024-12-18T09:03:16.328989+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49733	154.216.17.190	2404	TCP
2024-12-18T09:03:19.673510+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49735	154.216.17.190	2404	TCP
2024-12-18T09:03:23.016739+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49738	154.216.17.190	2404	TCP
2024-12-18T09:03:26.361725+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49741	154.216.17.190	2404	TCP
2024-12-18T09:03:29.704799+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49743	154.216.17.190	2404	TCP
2024-12-18T09:03:33.066100+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49744	154.216.17.190	2404	TCP
2024-12-18T09:03:36.424355+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49745	154.216.17.190	2404	TCP
2024-12-18T09:03:39.768655+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49746	154.216.17.190	2404	TCP
2024-12-18T09:03:43.111896+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49747	154.216.17.190	2404	TCP
2024-12-18T09:03:46.455031+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49748	154.216.17.190	2404	TCP
2024-12-18T09:03:49.831061+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49749	154.216.17.190	2404	TCP
2024-12-18T09:03:53.205392+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49750	154.216.17.190	2404	TCP
2024-12-18T09:03:56.550346+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49751	154.216.17.190	2404	TCP
2024-12-18T09:03:59.893159+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49753	154.216.17.190	2404	TCP
2024-12-18T09:04:03.255242+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49760	154.216.17.190	2404	TCP
2024-12-18T09:04:06.614291+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49771	154.216.17.190	2404	TCP
2024-12-18T09:04:09.954296+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49777	154.216.17.190	2404	TCP
2024-12-18T09:04:13.298205+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49788	154.216.17.190	2404	TCP
2024-12-18T09:04:16.643223+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49794	154.216.17.190	2404	TCP
2024-12-18T09:04:19.989594+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49805	154.216.17.190	2404	TCP
2024-12-18T09:04:23.330493+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49812	154.216.17.190	2404	TCP
2024-12-18T09:04:26.673679+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49822	154.216.17.190	2404	TCP
2024-12-18T09:04:30.017358+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49831	154.216.17.190	2404	TCP
2024-12-18T09:04:33.363214+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49837	154.216.17.190	2404	TCP
2024-12-18T09:04:36.706662+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49847	154.216.17.190	2404	TCP
2024-12-18T09:04:40.050468+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49854	154.216.17.190	2404	TCP
2024-12-18T09:04:43.393261+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49864	154.216.17.190	2404	TCP
2024-12-18T09:04:46.823022+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49870	154.216.17.190	2404	TCP
2024-12-18T09:04:50.174672+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49881	154.216.17.190	2404	TCP
2024-12-18T09:04:53.518760+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49888	154.216.17.190	2404	TCP
2024-12-18T09:04:57.183312+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49898	154.216.17.190	2404	TCP
2024-12-18T09:05:00.472007+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49904	154.216.17.190	2404	TCP
2024-12-18T09:05:03.722996+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49915	154.216.17.190	2404	TCP
2024-12-18T09:05:06.940711+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49921	154.216.17.190	2404	TCP
2024-12-18T09:05:10.129601+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49931	154.216.17.190	2404	TCP
2024-12-18T09:05:13.397288+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49937	154.216.17.190	2404	TCP
2024-12-18T09:05:16.534065+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49946	154.216.17.190	2404	TCP
2024-12-18T09:05:19.644151+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49954	154.216.17.190	2404	TCP
2024-12-18T09:05:22.738070+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49962	154.216.17.190	2404	TCP
2024-12-18T09:05:25.815348+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49971	154.216.17.190	2404	TCP
2024-12-18T09:05:28.847510+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49977	154.216.17.190	2404	TCP
2024-12-18T09:05:31.879986+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49986	154.216.17.190	2404	TCP
2024-12-18T09:05:34.895362+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49994	154.216.17.190	2404	TCP
2024-12-18T09:05:37.915402+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50002	154.216.17.190	2404	TCP
2024-12-18T09:05:40.881000+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50011	154.216.17.190	2404	TCP
2024-12-18T09:05:43.817589+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50016	154.216.17.190	2404	TCP
2024-12-18T09:05:46.801930+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50026	154.216.17.190	2404	TCP
2024-12-18T09:05:49.695373+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50033	154.216.17.190	2404	TCP
2024-12-18T09:05:52.566689+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50039	154.216.17.190	2404	TCP
2024-12-18T09:05:55.427332+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50048	154.216.17.190	2404	TCP
2024-12-18T09:05:58.270101+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50056	154.216.17.190	2404	TCP
2024-12-18T09:06:01.101367+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50058	154.216.17.190	2404	TCP
2024-12-18T09:06:03.927758+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50059	154.216.17.190	2404	TCP
2024-12-18T09:06:06.723646+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50060	154.216.17.190	2404	TCP
2024-12-18T09:06:09.506254+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50061	154.216.17.190	2404	TCP
2024-12-18T09:06:12.301465+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50062	154.216.17.190	2404	TCP
2024-12-18T09:06:15.055429+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50063	154.216.17.190	2404	TCP
2024-12-18T09:06:17.787471+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50064	154.216.17.190	2404	TCP
2024-12-18T09:06:20.504996+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50065	154.216.17.190	2404	TCP
2024-12-18T09:06:23.227526+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50066	154.216.17.190	2404	TCP
2024-12-18T09:06:25.929624+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50067	154.216.17.190	2404	TCP
2024-12-18T09:06:28.627379+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50068	154.216.17.190	2404	TCP
2024-12-18T09:06:31.303427+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50069	154.216.17.190	2404	TCP
2024-12-18T09:06:33.975404+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50070	154.216.17.190	2404	TCP
2024-12-18T09:06:36.646573+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50071	154.216.17.190	2404	TCP
2024-12-18T09:06:39.286782+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50072	154.216.17.190	2404	TCP
2024-12-18T09:06:41.925964+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50073	154.216.17.190	2404	TCP
2024-12-18T09:06:44.553512+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50074	154.216.17.190	2404	TCP
2024-12-18T09:06:47.177135+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50075	154.216.17.190	2404	TCP
2024-12-18T09:06:49.785710+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50076	154.216.17.190	2404	TCP
2024-12-18T09:06:52.383534+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50077	154.216.17.190	2404	TCP
2024-12-18T09:06:54.975092+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50078	154.216.17.190	2404	TCP
2024-12-18T09:06:57.573946+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50079	154.216.17.190	2404	TCP
2024-12-18T09:07:00.145830+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50080	154.216.17.190	2404	TCP
2024-12-18T09:07:02.714328+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50081	154.216.17.190	2404	TCP
2024-12-18T09:07:05.271575+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50082	154.216.17.190	2404	TCP
2024-12-18T09:07:07.818849+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50083	154.216.17.190	2404	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 09:03:03.905909061 CET	49730	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:04.025743008 CET	2404	49730	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:04.025818110 CET	49730	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:04.033570051 CET	49730	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:04.153126955 CET	2404	49730	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:06.249629974 CET	2404	49730	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:06.249721050 CET	49730	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:06.249809027 CET	49730	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:06.369396925 CET	2404	49730	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:07.256483078 CET	49731	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:07.376485109 CET	2404	49731	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:07.376682043 CET	49731	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:07.380311966 CET	49731	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:07.500297070 CET	2404	49731	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:09.603018045 CET	2404	49731	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:09.603112936 CET	49731	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:09.603204966 CET	49731	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:09.726496935 CET	2404	49731	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:10.640069962 CET	49732	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:10.760274887 CET	2404	49732	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:10.760489941 CET	49732	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:10.765760899 CET	49732	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:10.885766029 CET	2404	49732	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:12.985018969 CET	2404	49732	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:12.985261917 CET	49732	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:12.985261917 CET	49732	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:13.105375051 CET	2404	49732	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:13.990997076 CET	49733	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:14.110733986 CET	2404	49733	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:14.110856056 CET	49733	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:14.117665052 CET	49733	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:14.237179995 CET	2404	49733	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:16.328923941 CET	2404	49733	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:16.328989029 CET	49733	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:16.329046011 CET	49733	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:16.448780060 CET	2404	49733	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:17.334465027 CET	49735	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:17.454472065 CET	2404	49735	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:17.454560995 CET	49735	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:17.458535910 CET	49735	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:17.578326941 CET	2404	49735	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:19.673269033 CET	2404	49735	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:19.673510075 CET	49735	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:19.673629999 CET	49735	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:19.793452024 CET	2404	49735	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:20.678860903 CET	49738	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:20.798892975 CET	2404	49738	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:20.799052000 CET	49738	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:20.802447081 CET	49738	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:20.922987938 CET	2404	49738	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:23.016654015 CET	2404	49738	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:23.016738892 CET	49738	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:23.016828060 CET	49738	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:23.136902094 CET	2404	49738	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:24.022161961 CET	49741	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:24.141832113 CET	2404	49741	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:24.141922951 CET	49741	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:24.147041082 CET	49741	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:24.266649961 CET	2404	49741	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:26.361665010 CET	2404	49741	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:26.361725092 CET	49741	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:26.361790895 CET	49741	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:26.481730938 CET	2404	49741	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:27.365911961 CET	49743	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:27.485673904 CET	2404	49743	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:27.485763073 CET	49743	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:27.489403009 CET	49743	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:27.610364914 CET	2404	49743	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:29.704747915 CET	2404	49743	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:29.704798937 CET	49743	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:29.708096981 CET	49743	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:29.827543974 CET	2404	49743	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:30.709642887 CET	49744	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:30.829437017 CET	2404	49744	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:30.829533100 CET	49744	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:30.833153963 CET	49744	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:30.952801943 CET	2404	49744	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:33.065886021 CET	2404	49744	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:33.066099882 CET	49744	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:33.066099882 CET	49744	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:33.186134100 CET	2404	49744	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:34.070300102 CET	49745	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:34.190406084 CET	2404	49745	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:34.190526962 CET	49745	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:34.194794893 CET	49745	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:34.314481020 CET	2404	49745	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:36.424254894 CET	2404	49745	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:36.424355030 CET	49745	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:36.424446106 CET	49745	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:36.543982983 CET	2404	49745	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:37.428510904 CET	49746	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:37.548408985 CET	2404	49746	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:37.548757076 CET	49746	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:37.552422047 CET	49746	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:37.672243118 CET	2404	49746	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:39.768516064 CET	2404	49746	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:39.768655062 CET	49746	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:39.768743992 CET	49746	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:39.888619900 CET	2404	49746	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:40.772182941 CET	49747	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:40.892079115 CET	2404	49747	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:40.892180920 CET	49747	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:40.895898104 CET	49747	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:41.015806913 CET	2404	49747	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:43.111798048 CET	2404	49747	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:43.111896038 CET	49747	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:43.112005949 CET	49747	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:43.231580973 CET	2404	49747	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:44.116125107 CET	49748	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:44.236227036 CET	2404	49748	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:44.236309052 CET	49748	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:44.247250080 CET	49748	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:44.367733955 CET	2404	49748	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:46.454960108 CET	2404	49748	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:46.455030918 CET	49748	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:46.455117941 CET	49748	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:46.574665070 CET	2404	49748	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:47.466703892 CET	49749	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:47.586447001 CET	2404	49749	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:47.586538076 CET	49749	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:47.590600014 CET	49749	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:47.710345030 CET	2404	49749	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:49.830805063 CET	2404	49749	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:49.831060886 CET	49749	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:49.841352940 CET	49749	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:49.960932016 CET	2404	49749	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:50.850277901 CET	49750	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:50.970005989 CET	2404	49750	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:50.971136093 CET	49750	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:50.974564075 CET	49750	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:51.094418049 CET	2404	49750	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:53.205307961 CET	2404	49750	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:53.205391884 CET	49750	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:53.205559015 CET	49750	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:53.325068951 CET	2404	49750	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:54.209659100 CET	49751	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:54.329700947 CET	2404	49751	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:54.329792023 CET	49751	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:54.332804918 CET	49751	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:54.452310085 CET	2404	49751	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:56.550195932 CET	2404	49751	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:56.550345898 CET	49751	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:56.550347090 CET	49751	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:56.670252085 CET	2404	49751	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:57.554362059 CET	49753	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:57.675738096 CET	2404	49753	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:57.675812006 CET	49753	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:57.679115057 CET	49753	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:57.798979044 CET	2404	49753	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:59.892976999 CET	2404	49753	154.216.17.190	192.168.2.4
Dec 18, 2024 09:03:59.893158913 CET	49753	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:03:59.893158913 CET	49753	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:00.012907982 CET	2404	49753	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:00.897397995 CET	49760	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:01.017033100 CET	2404	49760	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:01.017144918 CET	49760	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:01.020215034 CET	49760	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:01.142770052 CET	2404	49760	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:03.252208948 CET	2404	49760	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:03.255242109 CET	49760	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:03.255242109 CET	49760	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:03.374943018 CET	2404	49760	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:04.272283077 CET	49771	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:04.392106056 CET	2404	49771	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:04.392518044 CET	49771	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:04.395838022 CET	49771	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:04.515491962 CET	2404	49771	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:06.612658978 CET	2404	49771	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:06.614290953 CET	49771	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:06.614377022 CET	49771	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:06.733935118 CET	2404	49771	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:07.616182089 CET	49777	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:07.735837936 CET	2404	49777	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:07.735964060 CET	49777	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:07.741080999 CET	49777	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:07.860596895 CET	2404	49777	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:09.954238892 CET	2404	49777	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:09.954296112 CET	49777	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:09.954361916 CET	49777	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:10.073971033 CET	2404	49777	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:10.960011959 CET	49788	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:11.079760075 CET	2404	49788	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:11.080013990 CET	49788	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:11.091195107 CET	49788	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:11.210727930 CET	2404	49788	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:13.298090935 CET	2404	49788	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:13.298204899 CET	49788	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:13.298279047 CET	49788	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:13.417787075 CET	2404	49788	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:14.303833008 CET	49794	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:14.423444986 CET	2404	49794	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:14.423690081 CET	49794	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:14.427748919 CET	49794	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:14.547261953 CET	2404	49794	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:16.643146992 CET	2404	49794	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:16.643223047 CET	49794	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:16.643352985 CET	49794	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:16.763681889 CET	2404	49794	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:17.647140980 CET	49805	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:17.767733097 CET	2404	49805	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:17.767824888 CET	49805	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:17.777793884 CET	49805	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:17.897325993 CET	2404	49805	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:19.986792088 CET	2404	49805	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:19.989593983 CET	49805	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:19.989667892 CET	49805	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:20.109565020 CET	2404	49805	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:20.990839005 CET	49812	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:21.110407114 CET	2404	49812	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:21.110496044 CET	49812	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:21.114304066 CET	49812	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:21.233761072 CET	2404	49812	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:23.330430984 CET	2404	49812	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:23.330492973 CET	49812	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:23.330544949 CET	49812	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:23.449997902 CET	2404	49812	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:24.334929943 CET	49822	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:24.454839945 CET	2404	49822	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:24.454906940 CET	49822	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:24.463485003 CET	49822	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:24.582943916 CET	2404	49822	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:26.673614979 CET	2404	49822	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:26.673679113 CET	49822	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:26.673737049 CET	49822	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:26.793179989 CET	2404	49822	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:27.678455114 CET	49831	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:27.797924995 CET	2404	49831	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:27.798062086 CET	49831	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:27.801871061 CET	49831	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:27.923172951 CET	2404	49831	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:30.017270088 CET	2404	49831	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:30.017358065 CET	49831	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:30.017549992 CET	49831	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:30.137219906 CET	2404	49831	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:31.022238970 CET	49837	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:31.142208099 CET	2404	49837	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:31.143199921 CET	49837	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:31.156663895 CET	49837	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:31.276165009 CET	2404	49837	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:33.362097025 CET	2404	49837	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:33.363214016 CET	49837	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:33.363267899 CET	49837	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:33.482723951 CET	2404	49837	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:34.366451979 CET	49847	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:34.486100912 CET	2404	49847	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:34.487227917 CET	49847	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:34.491065979 CET	49847	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:34.610589027 CET	2404	49847	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:36.706522942 CET	2404	49847	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:36.706661940 CET	49847	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:36.706662893 CET	49847	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:36.826297045 CET	2404	49847	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:37.709665060 CET	49854	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:37.829320908 CET	2404	49854	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:37.829518080 CET	49854	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:37.832997084 CET	49854	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:37.952610016 CET	2404	49854	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:40.050360918 CET	2404	49854	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:40.050467968 CET	49854	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:40.050538063 CET	49854	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:40.170026064 CET	2404	49854	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:41.053613901 CET	49864	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:41.174806118 CET	2404	49864	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:41.177799940 CET	49864	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:41.194516897 CET	49864	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:41.313990116 CET	2404	49864	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:43.393122911 CET	2404	49864	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:43.393260956 CET	49864	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:43.393260956 CET	49864	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:43.512774944 CET	2404	49864	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:44.397459984 CET	49870	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:44.516983986 CET	2404	49870	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:44.517827988 CET	49870	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:44.523037910 CET	49870	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:44.642586946 CET	2404	49870	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:46.822829008 CET	2404	49870	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:46.823021889 CET	49870	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:46.823160887 CET	49870	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:46.945036888 CET	2404	49870	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:47.835504055 CET	49881	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:47.955005884 CET	2404	49881	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:47.955101967 CET	49881	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:47.962960958 CET	49881	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:48.082432985 CET	2404	49881	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:50.174555063 CET	2404	49881	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:50.174671888 CET	49881	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:50.174750090 CET	49881	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:50.294567108 CET	2404	49881	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:51.178972006 CET	49888	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:51.298439026 CET	2404	49888	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:51.298532009 CET	49888	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:51.302407980 CET	49888	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:51.423106909 CET	2404	49888	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:53.518515110 CET	2404	49888	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:53.518759966 CET	49888	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:53.518759966 CET	49888	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:53.638516903 CET	2404	49888	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:54.616914988 CET	49898	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:54.736444950 CET	2404	49898	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:54.737473965 CET	49898	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:54.741050959 CET	49898	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:54.860505104 CET	2404	49898	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:57.182100058 CET	2404	49898	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:57.183311939 CET	49898	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:57.183526993 CET	49898	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:57.302964926 CET	2404	49898	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:58.132750034 CET	49904	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:58.252444029 CET	2404	49904	154.216.17.190	192.168.2.4
Dec 18, 2024 09:04:58.255331993 CET	49904	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:58.259102106 CET	49904	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:04:58.378783941 CET	2404	49904	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:00.471867085 CET	2404	49904	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:00.472007036 CET	49904	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:00.472101927 CET	49904	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:00.591489077 CET	2404	49904	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:01.383145094 CET	49915	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:01.502718925 CET	2404	49915	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:01.503361940 CET	49915	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:01.533205032 CET	49915	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:01.652700901 CET	2404	49915	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:03.722913027 CET	2404	49915	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:03.722995996 CET	49915	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:03.723077059 CET	49915	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:03.842466116 CET	2404	49915	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:04.600600004 CET	49921	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:04.720202923 CET	2404	49921	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:04.721605062 CET	49921	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:04.725431919 CET	49921	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:04.845006943 CET	2404	49921	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:06.940622091 CET	2404	49921	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:06.940711021 CET	49921	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:06.940781116 CET	49921	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:07.060333014 CET	2404	49921	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:07.788116932 CET	49931	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:07.907762051 CET	2404	49931	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:07.907965899 CET	49931	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:07.912147045 CET	49931	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:08.031763077 CET	2404	49931	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:10.127465010 CET	2404	49931	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:10.129601002 CET	49931	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:10.129684925 CET	49931	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:10.249144077 CET	2404	49931	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:10.960134029 CET	49937	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:11.172657967 CET	2404	49937	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:11.173360109 CET	49937	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:11.177074909 CET	49937	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:11.299791098 CET	2404	49937	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:13.395670891 CET	2404	49937	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:13.397288084 CET	49937	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:13.397341967 CET	49937	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:13.516877890 CET	2404	49937	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:14.194252968 CET	49946	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:14.313812017 CET	2404	49946	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:14.314065933 CET	49946	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:14.317888021 CET	49946	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:14.437352896 CET	2404	49946	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:16.533925056 CET	2404	49946	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:16.534065008 CET	49946	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:16.534228086 CET	49946	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:16.653628111 CET	2404	49946	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:17.303776979 CET	49954	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:17.423273087 CET	2404	49954	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:17.425666094 CET	49954	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:17.429435015 CET	49954	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:17.548923969 CET	2404	49954	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:19.644013882 CET	2404	49954	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:19.644150972 CET	49954	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:19.644206047 CET	49954	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:19.763637066 CET	2404	49954	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:20.399116039 CET	49962	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:20.518716097 CET	2404	49962	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:20.518840075 CET	49962	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:20.537826061 CET	49962	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:20.657377958 CET	2404	49962	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:22.737818003 CET	2404	49962	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:22.738070011 CET	49962	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:22.738145113 CET	49962	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:22.857780933 CET	2404	49962	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:23.474127054 CET	49971	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:23.593708038 CET	2404	49971	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:23.597047091 CET	49971	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:23.615041971 CET	49971	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:23.734602928 CET	2404	49971	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:25.815030098 CET	2404	49971	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:25.815347910 CET	49971	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:25.815443993 CET	49971	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:25.935456991 CET	2404	49971	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:26.507150888 CET	49977	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:26.626682997 CET	2404	49977	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:26.628165007 CET	49977	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:26.632309914 CET	49977	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:26.751852036 CET	2404	49977	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:28.847392082 CET	2404	49977	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:28.847510099 CET	49977	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:28.847579956 CET	49977	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:28.967047930 CET	2404	49977	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:29.522382021 CET	49986	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:29.649475098 CET	2404	49986	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:29.649795055 CET	49986	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:29.656847954 CET	49986	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:29.783113956 CET	2404	49986	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:31.879890919 CET	2404	49986	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:31.879986048 CET	49986	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:31.880053997 CET	49986	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:31.999598980 CET	2404	49986	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:32.554126024 CET	49994	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:32.673765898 CET	2404	49994	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:32.673871040 CET	49994	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:32.682017088 CET	49994	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:32.801493883 CET	2404	49994	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:34.894007921 CET	2404	49994	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:34.895361900 CET	49994	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:34.895492077 CET	49994	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:35.015363932 CET	2404	49994	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:35.571885109 CET	50002	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:35.691392899 CET	2404	50002	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:35.694092989 CET	50002	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:35.697644949 CET	50002	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:35.817158937 CET	2404	50002	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:37.910967112 CET	2404	50002	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:37.915401936 CET	50002	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:37.915546894 CET	50002	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:38.034961939 CET	2404	50002	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:38.522641897 CET	50011	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:38.643306971 CET	2404	50011	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:38.645642996 CET	50011	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:38.649435997 CET	50011	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:38.769031048 CET	2404	50011	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:40.880928040 CET	2404	50011	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:40.881000042 CET	50011	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:40.881227016 CET	50011	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:41.000756025 CET	2404	50011	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:41.486344099 CET	50016	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:41.605917931 CET	2404	50016	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:41.606021881 CET	50016	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:41.613589048 CET	50016	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:41.733083963 CET	2404	50016	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:43.815609932 CET	2404	50016	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:43.817589045 CET	50016	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:43.885196924 CET	50016	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:44.004816055 CET	2404	50016	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:44.460257053 CET	50026	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:44.579888105 CET	2404	50026	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:44.580085993 CET	50026	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:44.584101915 CET	50026	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:44.703650951 CET	2404	50026	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:46.801809072 CET	2404	50026	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:46.801929951 CET	50026	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:46.802026987 CET	50026	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:46.921557903 CET	2404	50026	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:47.350611925 CET	50033	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:47.470133066 CET	2404	50033	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:47.471426964 CET	50033	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:47.474992037 CET	50033	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:47.594847918 CET	2404	50033	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:49.692578077 CET	2404	50033	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:49.695373058 CET	50033	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:49.695420980 CET	50033	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:49.815363884 CET	2404	50033	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:50.225568056 CET	50039	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:50.345434904 CET	2404	50039	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:50.347481966 CET	50039	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:50.361978054 CET	50039	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:50.481733084 CET	2404	50039	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:52.566529036 CET	2404	50039	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:52.566689014 CET	50039	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:52.566689014 CET	50039	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:52.686335087 CET	2404	50039	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:53.084758043 CET	50048	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:53.204488039 CET	2404	50048	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:53.204587936 CET	50048	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:53.207917929 CET	50048	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:53.327635050 CET	2404	50048	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:55.426156044 CET	2404	50048	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:55.427331924 CET	50048	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:55.429358006 CET	50048	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:55.548921108 CET	2404	50048	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:55.929018021 CET	50056	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:56.048816919 CET	2404	50056	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:56.051422119 CET	50056	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:56.059916019 CET	50056	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:56.179440975 CET	2404	50056	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:58.270005941 CET	2404	50056	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:58.270101070 CET	50056	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:58.270188093 CET	50056	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:58.389707088 CET	2404	50056	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:58.756762028 CET	50058	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:58.876941919 CET	2404	50058	154.216.17.190	192.168.2.4
Dec 18, 2024 09:05:58.877166986 CET	50058	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:58.880651951 CET	50058	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:05:59.000880003 CET	2404	50058	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:01.099200010 CET	2404	50058	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:01.101366997 CET	50058	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:01.101433992 CET	50058	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:01.221035004 CET	2404	50058	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:01.587542057 CET	50059	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:01.707401991 CET	2404	50059	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:01.709450006 CET	50059	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:01.751322031 CET	50059	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:01.871040106 CET	2404	50059	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:03.927515030 CET	2404	50059	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:03.927757978 CET	50059	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:03.927830935 CET	50059	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:04.048120975 CET	2404	50059	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:04.382210970 CET	50060	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:04.501913071 CET	2404	50060	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:04.502036095 CET	50060	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:04.505459070 CET	50060	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:04.625885010 CET	2404	50060	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:06.723273993 CET	2404	50060	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:06.723645926 CET	50060	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:06.723645926 CET	50060	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:06.843455076 CET	2404	50060	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:07.164397001 CET	50061	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:07.284080029 CET	2404	50061	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:07.284189939 CET	50061	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:07.288265944 CET	50061	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:07.407821894 CET	2404	50061	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:09.503541946 CET	2404	50061	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:09.506253958 CET	50061	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:09.506594896 CET	50061	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:09.626338959 CET	2404	50061	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:09.929423094 CET	50062	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:10.049173117 CET	2404	50062	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:10.049259901 CET	50062	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:10.055489063 CET	50062	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:10.175208092 CET	2404	50062	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:12.301335096 CET	2404	50062	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:12.301465034 CET	50062	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:12.301714897 CET	50062	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:12.422359943 CET	2404	50062	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:12.711430073 CET	50063	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:12.831123114 CET	2404	50063	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:12.831361055 CET	50063	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:12.837481022 CET	50063	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:12.957020044 CET	2404	50063	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:15.051440001 CET	2404	50063	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:15.055428982 CET	50063	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:15.055500031 CET	50063	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:15.175451040 CET	2404	50063	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:15.445067883 CET	50064	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:15.564974070 CET	2404	50064	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:15.567472935 CET	50064	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:15.573303938 CET	50064	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:15.694938898 CET	2404	50064	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:17.786751032 CET	2404	50064	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:17.787471056 CET	50064	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:17.787700891 CET	50064	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:17.907224894 CET	2404	50064	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:18.164037943 CET	50065	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:18.283598900 CET	2404	50065	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:18.283850908 CET	50065	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:18.287386894 CET	50065	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:18.406948090 CET	2404	50065	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:20.504853010 CET	2404	50065	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:20.504996061 CET	50065	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:20.505131960 CET	50065	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:20.624627113 CET	2404	50065	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:20.882015944 CET	50066	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:21.002149105 CET	2404	50066	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:21.002448082 CET	50066	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:21.007909060 CET	50066	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:21.129126072 CET	2404	50066	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:23.223510981 CET	2404	50066	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:23.227525949 CET	50066	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:23.227615118 CET	50066	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:23.347395897 CET	2404	50066	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:23.585040092 CET	50067	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:23.704879045 CET	2404	50067	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:23.705008030 CET	50067	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:23.708877087 CET	50067	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:23.828490019 CET	2404	50067	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:25.926666021 CET	2404	50067	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:25.929624081 CET	50067	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:25.929624081 CET	50067	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:26.049324989 CET	2404	50067	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:26.272567034 CET	50068	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:26.392400980 CET	2404	50068	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:26.392625093 CET	50068	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:26.396265030 CET	50068	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:26.515858889 CET	2404	50068	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:28.622448921 CET	2404	50068	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:28.627378941 CET	50068	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:28.627424955 CET	50068	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:28.747045994 CET	2404	50068	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:28.960196018 CET	50069	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:29.081765890 CET	2404	50069	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:29.081866980 CET	50069	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:29.089638948 CET	50069	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:29.213495016 CET	2404	50069	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:31.300923109 CET	2404	50069	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:31.303426981 CET	50069	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:31.303497076 CET	50069	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:31.423060894 CET	2404	50069	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:31.631936073 CET	50070	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:31.751986980 CET	2404	50070	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:31.755459070 CET	50070	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:31.760435104 CET	50070	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:31.880028009 CET	2404	50070	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:33.972961903 CET	2404	50070	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:33.975404024 CET	50070	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:33.975476027 CET	50070	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:34.095091105 CET	2404	50070	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:34.288319111 CET	50071	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:34.408065081 CET	2404	50071	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:34.408170938 CET	50071	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:34.415394068 CET	50071	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:34.535087109 CET	2404	50071	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:36.646482944 CET	2404	50071	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:36.646573067 CET	50071	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:36.646671057 CET	50071	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:36.766189098 CET	2404	50071	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:36.944531918 CET	50072	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:37.064291954 CET	2404	50072	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:37.065598011 CET	50072	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:37.070000887 CET	50072	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:37.189604998 CET	2404	50072	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:39.286604881 CET	2404	50072	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:39.286782026 CET	50072	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:39.286870003 CET	50072	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:39.408374071 CET	2404	50072	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:39.585207939 CET	50073	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:39.705075026 CET	2404	50073	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:39.705178022 CET	50073	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:39.710303068 CET	50073	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:39.829998016 CET	2404	50073	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:41.925877094 CET	2404	50073	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:41.925964117 CET	50073	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:41.926031113 CET	50073	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:42.045695066 CET	2404	50073	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:42.210283995 CET	50074	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:42.329940081 CET	2404	50074	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:42.330050945 CET	50074	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:42.334913969 CET	50074	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:42.454628944 CET	2404	50074	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:44.551929951 CET	2404	50074	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:44.553512096 CET	50074	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:44.553715944 CET	50074	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:44.673382044 CET	2404	50074	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:44.838042974 CET	50075	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:44.957770109 CET	2404	50075	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:44.958420038 CET	50075	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:44.962081909 CET	50075	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:45.081887007 CET	2404	50075	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:47.177067995 CET	2404	50075	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:47.177134991 CET	50075	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:47.177190065 CET	50075	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:47.296936989 CET	2404	50075	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:47.444540977 CET	50076	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:47.565313101 CET	2404	50076	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:47.565586090 CET	50076	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:47.568531036 CET	50076	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:47.688841105 CET	2404	50076	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:49.785624027 CET	2404	50076	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:49.785710096 CET	50076	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:49.785809994 CET	50076	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:49.905431032 CET	2404	50076	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:50.038187027 CET	50077	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:50.157871962 CET	2404	50077	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:50.157984972 CET	50077	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:50.164382935 CET	50077	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:50.284054041 CET	2404	50077	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:52.379477978 CET	2404	50077	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:52.383533955 CET	50077	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:52.384731054 CET	50077	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:52.504293919 CET	2404	50077	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:52.631978035 CET	50078	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:52.751713037 CET	2404	50078	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:52.751817942 CET	50078	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:52.756510973 CET	50078	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:52.876143932 CET	2404	50078	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:54.974924088 CET	2404	50078	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:54.975091934 CET	50078	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:54.975285053 CET	50078	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:55.094912052 CET	2404	50078	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:55.210205078 CET	50079	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:55.330709934 CET	2404	50079	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:55.334135056 CET	50079	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:55.340790033 CET	50079	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:55.460427046 CET	2404	50079	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:57.570142984 CET	2404	50079	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:57.573945999 CET	50079	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:57.573998928 CET	50079	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:57.693703890 CET	2404	50079	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:57.804461956 CET	50080	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:57.924213886 CET	2404	50080	154.216.17.190	192.168.2.4
Dec 18, 2024 09:06:57.925677061 CET	50080	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:57.932007074 CET	50080	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:06:58.052881002 CET	2404	50080	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:00.145708084 CET	2404	50080	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:00.145829916 CET	50080	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:00.145941973 CET	50080	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:00.266696930 CET	2404	50080	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:00.366347075 CET	50081	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:00.486083984 CET	2404	50081	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:00.487489939 CET	50081	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:00.499283075 CET	50081	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:00.620533943 CET	2404	50081	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:02.710547924 CET	2404	50081	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:02.714328051 CET	50081	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:02.714329004 CET	50081	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:02.834125042 CET	2404	50081	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:02.929199934 CET	50082	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:03.048998117 CET	2404	50082	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:03.049732924 CET	50082	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:03.054863930 CET	50082	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:03.174546003 CET	2404	50082	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:05.271337032 CET	2404	50082	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:05.271574974 CET	50082	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:05.271575928 CET	50082	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:05.391247034 CET	2404	50082	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:05.479646921 CET	50083	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:05.599417925 CET	2404	50083	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:05.600816011 CET	50083	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:05.604298115 CET	50083	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:05.723958969 CET	2404	50083	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:07.818727016 CET	2404	50083	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:07.818849087 CET	50083	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:07.818929911 CET	50083	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:07.938973904 CET	2404	50083	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:08.834760904 CET	50084	2404	192.168.2.4	154.216.17.190
Dec 18, 2024 09:07:08.954639912 CET	2404	50084	154.216.17.190	192.168.2.4
Dec 18, 2024 09:07:08.955466986 CET	50084	2404	192.168.2.4	154.216.17.190

Target ID:	0
Start time:	03:02:58
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\Arrival Notice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice.exe"
Imagebase:	0xe70000
File size:	1'407'488 bytes
MD5 hash:	C3F4606A2DEE3F372AF2108340951322
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.1725800784.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:03:02
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice.exe"
Imagebase:	0x5f0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4156834032.0000000003430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4156781052.0000000003400000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000001.00000002.4156451148.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	3%
Total number of Nodes:	1959
Total number of Limit Nodes:	53

Executed Functions

Function 00E742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E7430D

Part of subcall function 00E76B57: _wcslen.LIBCMT ref: 00E76B6A

GetCurrentProcess.KERNEL32(?,00F0CB64,00000000,?,?), ref: 00E74422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00E74429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E74454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E74466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00E74474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00E7447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00E744A0

Strings

kernel32.dll, xrefs: 00E7444F
GetNativeSystemInfo, xrefs: 00E74460
|O, xrefs: 00EB36F8

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f0a8264375ec74911ca6d1dcd9237e869e1a17493da904810705cef3f312fc50
Instruction ID: 81e2b4425065a130ca51d4c24762e50cfee38cfa8e4eeac90d7f4eb512e0ae37
Opcode Fuzzy Hash: f0a8264375ec74911ca6d1dcd9237e869e1a17493da904810705cef3f312fc50
Instruction Fuzzy Hash: 82A1C6BA90A2DCDFC711CFB97C411F67FA47B37344B04A599D885A3A62E3204584FB61

Function 00E742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E750AA,?,?,00000000,00000000), ref: 00E742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E750AA,?,?,00000000,00000000), ref: 00E742C9
LoadResource.KERNEL32(?,00000000,?,?,00E750AA,?,?,00000000,00000000,?,?,?,?,?,?,00E74F20), ref: 00EB35BE
SizeofResource.KERNEL32(?,00000000,?,?,00E750AA,?,?,00000000,00000000,?,?,?,?,?,?,00E74F20), ref: 00EB35D3
LockResource.KERNEL32(00E750AA,?,?,00E750AA,?,?,00000000,00000000,?,?,?,?,?,?,00E74F20,?), ref: 00EB35E6

Strings

SCRIPT, xrefs: 00E742BF

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ac23f1e9d7644765969dd5868d161d6a12faa717062f5c0d5a3cf448536297c4
Instruction ID: 4cfdf27437a1aa403f29ecba7548c96093b90831c661cf1d69e5eacdb6dcb643
Opcode Fuzzy Hash: ac23f1e9d7644765969dd5868d161d6a12faa717062f5c0d5a3cf448536297c4
Instruction Fuzzy Hash: 47118EB0200704BFD7219B65DC49F677BBDFBC6B55F208269F406E66A0DB71DC109A60

Function 00EDDBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,"R), ref: 00EDDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00EDDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00EDDBEE
FindClose.KERNEL32(00000000), ref: 00EDDBFA

Strings

"R, xrefs: 00EDDBCA

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID: "R
API String ID: 2695905019-1746183819
Opcode ID: efe6e2c9bc4d4c1238b31f3458d28895705480dd26c5ebdd7ba11a94a810a898
Instruction ID: f8a8d9bdba3197de5e347c14d40b8a65be3ac3009251ad4ea777a108eaf6f6cf
Opcode Fuzzy Hash: efe6e2c9bc4d4c1238b31f3458d28895705480dd26c5ebdd7ba11a94a810a898
Instruction Fuzzy Hash: 03F0A03082891857C2206B78AC0E8BAB76CEE01338F205703F836D22E1EBB0595696D5

Function 00EB2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00E72B6B

Part of subcall function 00E73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F41418,?,00E72E7F,?,?,?,00000000), ref: 00E73A78

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00F32224), ref: 00EB2C10
ShellExecuteW.SHELL32(00000000,?,?,00F32224), ref: 00EB2C17

Strings

runas, xrefs: 00EB2C0B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c52802cf951d7cdcf3ebb417d0b75c190a0ad8a64b28b5cd7846751bee659c4f
Instruction ID: 516033149cc3ef68bf8fd2b41c232a034cb231d40f41243e67dd4f3ed2ac8207
Opcode Fuzzy Hash: c52802cf951d7cdcf3ebb417d0b75c190a0ad8a64b28b5cd7846751bee659c4f
Instruction Fuzzy Hash: 5D11B4312083056AC714FF70D8529AEBBE4AFA1714F04B42DF68A720A3CF30854AB752

Function 00E7D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E7D807
timeGetTime.WINMM ref: 00E7DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E7DB28
TranslateMessage.USER32(?), ref: 00E7DB7B
DispatchMessageW.USER32(?), ref: 00E7DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E7DB9F
Sleep.KERNEL32(0000000A), ref: 00E7DBB1

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 93856e1f6c56997b597cd38d22f57957d432dfaf21298600fa02b267914b1c1f
Instruction ID: 40de54a4153f5d527f99ef8c53074ff7a37bfe2565659cf0da502dd6ff4737db
Opcode Fuzzy Hash: 93856e1f6c56997b597cd38d22f57957d432dfaf21298600fa02b267914b1c1f
Instruction Fuzzy Hash: 184200306082459FD728CF24CC44FAAB7F0BF86308F14A65DE95AA7291D771E845DB92

Function 00E72CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E72D07
RegisterClassExW.USER32(00000030), ref: 00E72D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E72D42
InitCommonControlsEx.COMCTL32(?), ref: 00E72D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E72D6F
LoadIconW.USER32(000000A9), ref: 00E72D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E72D94

Strings

TaskbarCreated, xrefs: 00E72D37
0, xrefs: 00E72CE9
AutoIt v3 GUI, xrefs: 00E72D23
+, xrefs: 00E72CF0

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 440013dd9df8c97ff3efc1d0ed5dfd06b2b951019937e89655bd162f8b757582
Instruction ID: cf2bc26be0c60522f9868111479089b0b1b541ba844aa1138f7c68810c676f27
Opcode Fuzzy Hash: 440013dd9df8c97ff3efc1d0ed5dfd06b2b951019937e89655bd162f8b757582
Instruction Fuzzy Hash: CC21C3B595121CAFEB00DFA4E949BDDBBB4FB09700F00821AF911A62A0D7B54584EF91

Function 00EA8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 00EA903A, 00EA8FD0, 00EA8FF2

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3963672497
Opcode ID: 5cf82cbe4bafa0a3f9fbf0731e30bd9ceb4b1210f30205ce77a7d0ceea371cdb
Instruction ID: 222daa8f62c05cdd32e09efc18f5ace291edbdfba30f0d9d1b44125614c838ec
Opcode Fuzzy Hash: 5cf82cbe4bafa0a3f9fbf0731e30bd9ceb4b1210f30205ce77a7d0ceea371cdb
Instruction Fuzzy Hash: FAC1D474A042499FDF11DFA8C881BADBBF4AF5F314F145199F914BB292CB30A941CB61

Function 00EB065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EB039A: CreateFileW.KERNELBASE(00000000,00000000,?,00EB0704,?,?,00000000,?,00EB0704,00000000,0000000C), ref: 00EB03B7

GetLastError.KERNEL32 ref: 00EB076F
__dosmaperr.LIBCMT ref: 00EB0776
GetFileType.KERNELBASE(00000000), ref: 00EB0782
GetLastError.KERNEL32 ref: 00EB078C
__dosmaperr.LIBCMT ref: 00EB0795
CloseHandle.KERNEL32(00000000), ref: 00EB07B5
CloseHandle.KERNEL32(?), ref: 00EB08FF
GetLastError.KERNEL32 ref: 00EB0931
__dosmaperr.LIBCMT ref: 00EB0938

Strings

H, xrefs: 00EB08BD

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: c4c0629c0657e53817f0b36649b8493d39a6e9bc14523f72940892129c3d9ad8
Instruction ID: b12846a1acd60f96b1b8009437f145e9ab8333f5196d27440e25840e22276165
Opcode Fuzzy Hash: c4c0629c0657e53817f0b36649b8493d39a6e9bc14523f72940892129c3d9ad8
Instruction Fuzzy Hash: C7A12532A141188FDF19EF68D851BEF7BE0EB4A324F141159F815EF2A1CB31A912DB91

Function 00E7344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F41418,?,00E72E7F,?,?,?,00000000), ref: 00E73A78

Part of subcall function 00E73357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E73379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E7356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EB318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EB31CE
RegCloseKey.ADVAPI32(?), ref: 00EB3210
_wcslen.LIBCMT ref: 00EB3277
_wcslen.LIBCMT ref: 00EB3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00E73560
\Include\, xrefs: 00E73527
Include, xrefs: 00EB3184, 00EB31C5
\, xrefs: 00EB328C

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e6d34eab6824a1f5abeaa84f1d217f22aca332bbd76fe0b025ab40818f7ff9d2
Instruction ID: 2ca13af1056baea537d0053dcb54a240375259edde8d5d41f1427e6b8352a9fe
Opcode Fuzzy Hash: e6d34eab6824a1f5abeaa84f1d217f22aca332bbd76fe0b025ab40818f7ff9d2
Instruction Fuzzy Hash: AE71C2714043059EC354EF69DC828ABBBF8FF95740F80553EF949A31A1EB309A48EB52

Function 00E72B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E72B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00E72B9D
LoadIconW.USER32(00000063), ref: 00E72BB3
LoadIconW.USER32(000000A4), ref: 00E72BC5
LoadIconW.USER32(000000A2), ref: 00E72BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E72BEF
RegisterClassExW.USER32(?), ref: 00E72C40

Part of subcall function 00E72CD4: GetSysColorBrush.USER32(0000000F), ref: 00E72D07
Part of subcall function 00E72CD4: RegisterClassExW.USER32(00000030), ref: 00E72D31
Part of subcall function 00E72CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E72D42
Part of subcall function 00E72CD4: InitCommonControlsEx.COMCTL32(?), ref: 00E72D5F
Part of subcall function 00E72CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E72D6F
Part of subcall function 00E72CD4: LoadIconW.USER32(000000A9), ref: 00E72D85
Part of subcall function 00E72CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E72D94

Strings

#, xrefs: 00E72C16
0, xrefs: 00E72C0F
AutoIt v3, xrefs: 00E72C2F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5792acef8dd460f4246040b0a195d1811b93a366c2af6f91d3367143a6fdbf15
Instruction ID: 42860b08caf1d6cb3c7045340155e1e580f1688d54eb270de5dd830443a49d77
Opcode Fuzzy Hash: 5792acef8dd460f4246040b0a195d1811b93a366c2af6f91d3367143a6fdbf15
Instruction Fuzzy Hash: CE215E78E4031CAFDB109FA5ED45BAE7FB4FB59B50F00411AFA00A66A0D3B10580EF90

Function 00E73170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E7316A,?,?), ref: 00E731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00E7316A,?,?), ref: 00E73204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E73227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E7316A,?,?), ref: 00E73232
CreatePopupMenu.USER32 ref: 00E73246
PostQuitMessage.USER32(00000000), ref: 00E73267

Strings

TaskbarCreated, xrefs: 00E7322D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8bd7892d91b915a209149cdb401cd4af4bba5e027998b9ba9139db70d96d04ac
Instruction ID: 79d293bf63812cfd9781b147fa805e35b87e7f0ad4286a14478326d3a5504cc0
Opcode Fuzzy Hash: 8bd7892d91b915a209149cdb401cd4af4bba5e027998b9ba9139db70d96d04ac
Instruction Fuzzy Hash: E1415C35250248A7DB555F789C0DBF93B55FB06344F14A229FD09B52B3C771CA80B7A2

Function 01963228 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 019632F9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0196351F

Memory Dump Source

Source File: 00000000.00000002.1725450998.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_Arrival Notice.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 81873db4fb33bee805b17ba900a1de97c81f27a84cbd5b4022851098cd9e73a8
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 84A10874E00209EBDB15CFA4C994BAEFBB9FF48705F108559E209BB280D7759A41CB61

Function 00E72C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E72C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E72CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E71CAD,?), ref: 00E72CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E71CAD,?), ref: 00E72CCF

Strings

edit, xrefs: 00E72CAC
AutoIt v3, xrefs: 00E72C89, 00E72C8E, 00E72C8F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3ae75f847cc80c01e8004dba0c584292423585ddac82e2008492e90a2efd3fdc
Instruction ID: 97a0fb1f22169f984d54caf58437d73ead808a6de86ed74ff74b80cb6bcb259b
Opcode Fuzzy Hash: 3ae75f847cc80c01e8004dba0c584292423585ddac82e2008492e90a2efd3fdc
Instruction Fuzzy Hash: B1F0DA795402987AEB311B17AC48E777EBDE7D7F50B00005AFD00A35A0C6621894FAB1

Function 01962FF8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01962EE8: Sleep.KERNELBASE(000001F4), ref: 01962EF9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0196311B

Strings

HIEEVP43ODG0QUFN4NX1M, xrefs: 0196317E, 01963181

Memory Dump Source

Source File: 00000000.00000002.1725450998.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_Arrival Notice.jbxd

Similarity

API ID: CreateFileSleep
String ID: HIEEVP43ODG0QUFN4NX1M
API String ID: 2694422964-322644881
Opcode ID: 74c0a4f94e0e1937e377596d40a06f072f3cda4ca6fac2b1eb0ddfc00f4496e6
Instruction ID: e7235693a6097dac72ea4b2467a3aeecbd7b118303a34564cb17f7a33b6934c4
Opcode Fuzzy Hash: 74c0a4f94e0e1937e377596d40a06f072f3cda4ca6fac2b1eb0ddfc00f4496e6
Instruction Fuzzy Hash: E3519170D04289DAEF11DBA4C854BEFBBB9AF59300F004599E6087B2C1D6BA5B44CBB5

Function 00EE2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EE2C05
DeleteFileW.KERNEL32(?), ref: 00EE2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EE2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EE2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EE2CC0

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 703a6dcd1fdc39289563da52435b07a891128bb71eff6c0bbf0eb4be452c82dd
Instruction ID: bc9cce09fa90979bb11de9395ee16b7c481792aed53a22b3f0812aca5a9af871
Opcode Fuzzy Hash: 703a6dcd1fdc39289563da52435b07a891128bb71eff6c0bbf0eb4be452c82dd
Instruction Fuzzy Hash: D0B14C7290011DABDF21EFA5CC85EDEB7BDEF48350F1050AAF609F6151EB319A448B61

Function 00EA5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO, xrefs: 00EA5BA8, 00EA5C6C

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-1663374661
Opcode ID: 4825a9dc41dddf16c5fdb514240013ccb82307195512c76f63a13b45b465b4c9
Instruction ID: 8c4bcd1b6f3a8b8ac7a09cf15c68c0907beffed6b15bb2abd3c4bd9895f4d0c6
Opcode Fuzzy Hash: 4825a9dc41dddf16c5fdb514240013ccb82307195512c76f63a13b45b465b4c9
Instruction Fuzzy Hash: B351B072D00609AFCF109FA4C845FEEBBB8AF4E324F14215AF505BF292D635A901DB61

Function 00E73B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E73B0F,SwapMouseButtons,00000004,?), ref: 00E73B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E73B0F,SwapMouseButtons,00000004,?), ref: 00E73B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00E73B0F,SwapMouseButtons,00000004,?), ref: 00E73B83

Strings

Control Panel\Mouse, xrefs: 00E73B3E

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: bc3f5745eb943dc8e3a4c8478acaae04394efad9593e0bf9ab8867229544cacf
Instruction ID: 0d4417e2fd603f553f69861882d36606b8627b758201f8593829348506020b4b
Opcode Fuzzy Hash: bc3f5745eb943dc8e3a4c8478acaae04394efad9593e0bf9ab8867229544cacf
Instruction Fuzzy Hash: 9C112AB5510208FFDB608FB5DC44AEEBBBDEF04744B10955AA809E7110D2319E40A7A0

Function 01961EE8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 019626A3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01962739
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0196275B

Memory Dump Source

Source File: 00000000.00000002.1725450998.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_Arrival Notice.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction ID: f139811b2e29ba4c0fc1ed6d08f926b9590357eb6a2e5ff59d73caca20c101e6
Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction Fuzzy Hash: 7E62FB30A14258DBEB24CFA4C850BDEB776FF58301F1095A9D10DEB290E7799E81CB69

Function 00E7DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00EC32B7

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: e697c8e910f80a8772a7c1296ccf5d5d399de29f3d8f46b73e89e5a711cfc735
Instruction ID: 5b1b86f2002dce1ae2fd6310df1c225a22ff08a7af9fa9e098ef3078c1c73cfb
Opcode Fuzzy Hash: e697c8e910f80a8772a7c1296ccf5d5d399de29f3d8f46b73e89e5a711cfc735
Instruction Fuzzy Hash: 52C27975A00204DFCB24DF68C881AADB7F1BF19314F24D5A9E919BB3A1D371AD42CB91

Function 00E8FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00E90668

Part of subcall function 00E932A4: RaiseException.KERNEL32(?,?,?,00E9068A,?,00F41444,?,?,?,?,?,?,00E9068A,00E71129,00F38738,00E71129), ref: 00E93304

__CxxThrowException@8.LIBVCRUNTIME ref: 00E90685

Strings

Unknown exception, xrefs: 00E90692

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: e1dd329292629a7fd9796dc67c7a5be0de1135278f020323189de91b6f6c1f2b
Instruction ID: acf066967bda88743b76303fc07b87801efedfedafa6fa2e8e428babb4e4a685
Opcode Fuzzy Hash: e1dd329292629a7fd9796dc67c7a5be0de1135278f020323189de91b6f6c1f2b
Instruction Fuzzy Hash: CEF0C23490030DBBCF10B674D846D9E77AC5E00354BA05131F928F69E2EF71EA66D6C1

Function 00EE3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00EE302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00EE3044

Strings

aut, xrefs: 00EE3038

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 212785b9b58f951ff1d253a04ed7594c45a090867775823ac7eeffcec9cf79c7
Instruction ID: 5c718e471b52617346d0ad81d1c5df2c7ddf39b75fc80002b7ff0e2254420d95
Opcode Fuzzy Hash: 212785b9b58f951ff1d253a04ed7594c45a090867775823ac7eeffcec9cf79c7
Instruction Fuzzy Hash: 7AD05E7250032877DA20A7A4AC0EFCB3B6CEB05760F0002A1B655E20D1DAB4D984CAD0

Function 00EF7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00EF82F5
TerminateProcess.KERNEL32(00000000), ref: 00EF82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00EF84DD

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 86cd177dadc6de0caa62b8df30e34f1473f53d2ccd7c84d8f73f48031f013f10
Instruction ID: 9f4d104365063307298aa1a7087f9cd3d272512b56c50bc9ab915dbd25dc6cf1
Opcode Fuzzy Hash: 86cd177dadc6de0caa62b8df30e34f1473f53d2ccd7c84d8f73f48031f013f10
Instruction Fuzzy Hash: 00128B71A083059FD714DF28C580B2ABBE1BF85318F04995DE999AB392DB30ED45CB92

Function 00E710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E71BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E71BF4
Part of subcall function 00E71BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E71BFC
Part of subcall function 00E71BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E71C07
Part of subcall function 00E71BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E71C12
Part of subcall function 00E71BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E71C1A
Part of subcall function 00E71BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E71C22

Part of subcall function 00E71B4A: RegisterWindowMessageW.USER32(00000004,?,00E712C4), ref: 00E71BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E7136A
OleInitialize.OLE32 ref: 00E71388
CloseHandle.KERNEL32(00000000,00000000), ref: 00EB24AB

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: b4cf5671d5f2b2f9308233d80b7823fc9803de2ee2ef30ecd3e5015f41ade7cd
Instruction ID: b2c98d73b72b5851fdc9faa820494905a250abd852fe98f9db9fe6b68337266f
Opcode Fuzzy Hash: b4cf5671d5f2b2f9308233d80b7823fc9803de2ee2ef30ecd3e5015f41ade7cd
Instruction Fuzzy Hash: D67199BC9513088EC384EF79ED456953AE0BBAA344318922ADD1AD73B2EB3044C5FF51

Function 00EDC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E73923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E73A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EDC259
KillTimer.USER32(?,00000001,?,?), ref: 00EDC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EDC270

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 62a3e84244454fe49186160edec889efdbd28d6aef5145cdfb56ca8b6a45d20f
Instruction ID: b2491076eee1a1313d049b4ca6ef08b71faa465122d3ebf7b6a9922a886a96ac
Opcode Fuzzy Hash: 62a3e84244454fe49186160edec889efdbd28d6aef5145cdfb56ca8b6a45d20f
Instruction Fuzzy Hash: 3D31C370904744AFEB32CF648895BEBBBECEB06348F10149EE6DAA3351C3745A85CB51

Function 00EA86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00EA85CC,?,00F38CC8,0000000C), ref: 00EA8704
GetLastError.KERNEL32(?,00EA85CC,?,00F38CC8,0000000C), ref: 00EA870E
__dosmaperr.LIBCMT ref: 00EA8739

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 14c4e7dc0d502ffa5128f188be327d0d03a2863b16f8309c762d0662f94639b0
Instruction ID: a8d6d75e4a391226f67e11ddc10b46ba8e64e48fc2019d2a2e679a9aebc55470
Opcode Fuzzy Hash: 14c4e7dc0d502ffa5128f188be327d0d03a2863b16f8309c762d0662f94639b0
Instruction Fuzzy Hash: B9016B3360462026EA2063346A45B7E2B894BCB77CF383229F804FF0D2DEB0FC858190

Function 00E7DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00E7DB7B
DispatchMessageW.USER32(?), ref: 00E7DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E7DB9F
Sleep.KERNEL32(0000000A), ref: 00E7DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00EC1CC9

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: a6cc83b191308e0897ab4e998662c2c9439e7b09a053173bbf896cec31c11ca7
Instruction ID: 8bcded62d9caef70c601ea60921ce9433ab4bb2ebbc297e83c7bf4dc81f09b7f
Opcode Fuzzy Hash: a6cc83b191308e0897ab4e998662c2c9439e7b09a053173bbf896cec31c11ca7
Instruction Fuzzy Hash: 7CF0FE306483489BEB34DB608C49FEA73B8FF55314F505619F65EA30D0DB70A4899B55

Function 00EE2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00EE2CD4,?,?,?,00000004,00000001), ref: 00EE2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00EE2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EE3006
CloseHandle.KERNEL32(00000000,?,00EE2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EE300D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ab431134ad6fd7b5b742278add3fae0e54599908f64b5021c365d3a87c689d4c
Instruction ID: ee6f2e6d0fde041c5e4592e24e28c71f1ac45f4e96ea05ee8ad7453ebd5e5fd8
Opcode Fuzzy Hash: ab431134ad6fd7b5b742278add3fae0e54599908f64b5021c365d3a87c689d4c
Instruction Fuzzy Hash: A4E0863228021877E2301765BC0DF8B3A1CE786B75F104310F759760D146A0150152E8

Function 00E81310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E817F6

Strings

CALL, xrefs: 00E817C6

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 52c15f84e6778bebf31aa1b7bd41f68ad759ae701fe13551f029b819ff5d7857
Instruction ID: de3c9dd316dc83bb092bfa6e93aed890744a441a6071ef7a49a859ec8bb77964
Opcode Fuzzy Hash: 52c15f84e6778bebf31aa1b7bd41f68ad759ae701fe13551f029b819ff5d7857
Instruction Fuzzy Hash: 43227C706082419FC714EF14C480B6ABBF5BF85314F2499ADF49EAB3A1D732E846CB52

Function 00EE6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EE6F6B

Part of subcall function 00E74ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E74EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00EE6F5A, 00EE6F63

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 730ff3addd759c7456376ebfe4b9cc7c878969b9a63edfed4e2e1f2bacbd4425
Instruction ID: f92f5f0f0bcc9a57b89374ad7b9c4ee09e8a4fd71da5090346a991eb1c6f963c
Opcode Fuzzy Hash: 730ff3addd759c7456376ebfe4b9cc7c878969b9a63edfed4e2e1f2bacbd4425
Instruction Fuzzy Hash: A7B1C4712082459FCB14EF20C491D6EB7E5AF94304F14986DF49AA72A2EB30ED49CB92

Function 00E72DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00EB2C8C

Part of subcall function 00E73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E73A97,?,?,00E72E7F,?,?,?,00000000), ref: 00E73AC2

Part of subcall function 00E72DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E72DC4

Strings

X, xrefs: 00EB2C5A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 5f897c8b02b48394d2c0aff4f61d275b467cc5df021204ac463b59ba319ea28b
Instruction ID: 3f9d74411e2746d364456ed7729d9f501d2eed1f1b6a915d20ae93eabf7a628e
Opcode Fuzzy Hash: 5f897c8b02b48394d2c0aff4f61d275b467cc5df021204ac463b59ba319ea28b
Instruction Fuzzy Hash: 21219371A00258ABDB41DF94C845BEE7BF8AF49314F009059E509F7241DBB45A899FA1

Function 00EE2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00EE2587

Strings

EA06, xrefs: 00EE25B9

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: e584a121c4f47ae8384d742024a3e6651320e00558709580a86ba83569ecc2b9
Instruction ID: 3342c90b58b68aa9a05b8873b3eff1db65a29069b4d797ccef11947f69690b9f
Opcode Fuzzy Hash: e584a121c4f47ae8384d742024a3e6651320e00558709580a86ba83569ecc2b9
Instruction Fuzzy Hash: BF01B5729042587EDF28CBA8C856EEEBBF89B05315F00459EE252E2181E5B4E6088B60

Function 01961EE5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 019626A3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01962739
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0196275B

Memory Dump Source

Source File: 00000000.00000002.1725450998.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_Arrival Notice.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: d6b8493d53d3f4e580a232547f46816edbd3e021b0c182d4b9cb1a121c64f813
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 3A12DE24E24658C6EB24DF64D8507DEB236EF68300F1094E9910DEB7A4E77A4F81CF5A

Function 00E8FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00E8FD1F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e06cef63d0fe2fa584268331a8322fd2c278c18b5e8393da8efa2ddef151eb2f
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 01310675A00109DBC718EF59D480A69F7A2FF49304B24A6A5E90DEF655D731EEC1CBC0

Function 00E74ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E74E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E74EDD,?,00F41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E74E9C
Part of subcall function 00E74E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E74EAE
Part of subcall function 00E74E90: FreeLibrary.KERNEL32(00000000,?,?,00E74EDD,?,00F41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E74EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E74EFD

Part of subcall function 00E74E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EB3CDE,?,00F41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E74E62
Part of subcall function 00E74E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E74E74
Part of subcall function 00E74E59: FreeLibrary.KERNEL32(00000000,?,?,00EB3CDE,?,00F41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E74E87

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 507ee28a7a9ca7f632062060e07e870fa47784bd5b4e4e8886221b2c636fa4ce
Instruction ID: f1e0884a01af63754a816303e55adadc785c369af7b9f543b7f080e613f3af32
Opcode Fuzzy Hash: 507ee28a7a9ca7f632062060e07e870fa47784bd5b4e4e8886221b2c636fa4ce
Instruction Fuzzy Hash: E511C472700205AADB14AB60DC02BAD77E5AF40710F10E42DF546BA1C1DF709A05AB90

Function 00EA8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00EA8440

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 187fa505e827dc6e50e792ee190e3c4a8ccd871f88ed5ab2e2433214d399345d
Instruction ID: 7d3e9993520af156a252c6a2c14f1e1a5bdb4b76e0b9a9a158c3bb72709ba2aa
Opcode Fuzzy Hash: 187fa505e827dc6e50e792ee190e3c4a8ccd871f88ed5ab2e2433214d399345d
Instruction Fuzzy Hash: 1511067590420AAFCB05DF58E94199E7BF9EF49314F104059F818AB312DA31EA118BA5

Function 00EA5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EA4C7D: RtlAllocateHeap.NTDLL(00000008,00E71129,00000000,?,00EA2E29,00000001,00000364,?,?,?,00E9F2DE,00EA3863,00F41444,?,00E8FDF5,?), ref: 00EA4CBE

_free.LIBCMT ref: 00EA506C

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 169e65dff678a62e33c7cd0133488f5e5d00e98c75f0a6cb11f719ffc1f57d6f
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: E2012B732047045BE3218E659881A5AFBE8FB8E370F25051DE194A72C0E6707905C674

Function 00E9E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1c4fc18bb5e7ca3cb369a31bca26583f662f2f6394d4b8bfaaf9b36408e5a802
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 81F0F972510E1496DE317A698C05B5A37D89F97334F101715F621BA3D3DB70E80185A5

Function 00EA4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00E71129,00000000,?,00EA2E29,00000001,00000364,?,?,?,00E9F2DE,00EA3863,00F41444,?,00E8FDF5,?), ref: 00EA4CBE

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cd7e45969564b8ee480aaa427f190aa01c4f7b2db6d25757e5bbfd27ec79d68e
Instruction ID: e612d951114b172d6bdc56107f784d1872295fb9c1fb01c3f8be9accaab4371f
Opcode Fuzzy Hash: cd7e45969564b8ee480aaa427f190aa01c4f7b2db6d25757e5bbfd27ec79d68e
Instruction Fuzzy Hash: CEF0BB7160622466FB215F629C05F56BBC8BFC7774B186211B81DBE1D1CAF0F80156D0

Function 00EA3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00F41444,?,00E8FDF5,?,?,00E7A976,00000010,00F41440,00E713FC,?,00E713C6,?,00E71129), ref: 00EA3852

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e8420d59172285b31c900994364e295795896d22ca738440e4a0cf73efa65857
Instruction ID: e563dfd34ec821fcf8a119f3001cc537ef99a9cec240581742451850c799cc7c
Opcode Fuzzy Hash: e8420d59172285b31c900994364e295795896d22ca738440e4a0cf73efa65857
Instruction Fuzzy Hash: 8FE0E53110122466DA352B779C04F9A36C8AF4B7B4F152220BC04BE4D1DB18FD0182E0

Function 00E74F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E74F6D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f79e778de04b02e532a3aab667b5d5f9ecb61acea44d793793a70b4efa01bb80
Instruction ID: acba91a6f553d1c9c45702a1bfac98f02f329ed1d6100c1bf1fbec29a921177d
Opcode Fuzzy Hash: f79e778de04b02e532a3aab667b5d5f9ecb61acea44d793793a70b4efa01bb80
Instruction Fuzzy Hash: 54F01CB1205751CFDB389F64D490852B7E4BF15319320E96EE1EE92651C7319844EB50

Function 00E72DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E72DC4

Part of subcall function 00E76B57: _wcslen.LIBCMT ref: 00E76B6A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 391feb247e66201b290a840ad1da1650d4ac7ff6ad08c07b0dc02776e5b5ae8b
Instruction ID: 97eee70bdda0446cee093f79fc4b71cb5178c0de32b4fa7f23b0f73072419ec0
Opcode Fuzzy Hash: 391feb247e66201b290a840ad1da1650d4ac7ff6ad08c07b0dc02776e5b5ae8b
Instruction Fuzzy Hash: 02E0CD726001245BC71093589C05FEA77DDEFC8794F0541B1FD09E7249D960AD80C590

Function 00EE2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00EE26B5

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 875ecacf252565a7fbdac0266c3c566bd9ba1915a3587dd0922e38be4640d581
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: F4E0DFB0209B004FCF3C9E28A8527B677E89F09304F00082EF69B92312E57228418A0D

Function 00E72B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E73837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E73908

Part of subcall function 00E7D730: GetInputState.USER32 ref: 00E7D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00E72B6B

Part of subcall function 00E730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E7314E

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: ae929691b5e29b5fbeb9cc8638f9ef4ab9bb57afa616baf6418038b83e19f8f0
Instruction ID: 515711af4cc397f87ee4f5e4e2335d128843b8a0fe5f8cb39b2774d1f8b9f27a
Opcode Fuzzy Hash: ae929691b5e29b5fbeb9cc8638f9ef4ab9bb57afa616baf6418038b83e19f8f0
Instruction Fuzzy Hash: 3DE0862130424806C608BB75985256DB7D9AFE2355F40B53EF54AA31A3CF2445856252

Function 00EB039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00EB0704,?,?,00000000,?,00EB0704,00000000,0000000C), ref: 00EB03B7

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: aa4e8ce1d15ac260c308c3055d559abed48281c2d418b62f972f7b3f5d4a094e
Instruction ID: a5b048b5ee4b08b67716137e381ef299c5e059cfa5039ea7b0eae616454bd70e
Opcode Fuzzy Hash: aa4e8ce1d15ac260c308c3055d559abed48281c2d418b62f972f7b3f5d4a094e
Instruction Fuzzy Hash: 36D06C3204010DBBDF028F84DD06EDA3BAAFB48714F014100BE1856020C732E821AB90

Function 00E71CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00E71CBC

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b75341391c157a50d43b1ba1aaad4647801d044288223c11e659585d82aac58c
Instruction ID: 481ea04f81697a6a30d91414401d67b8a9d0825a67e8f21d1dcb5aa77a76bf77
Opcode Fuzzy Hash: b75341391c157a50d43b1ba1aaad4647801d044288223c11e659585d82aac58c
Instruction Fuzzy Hash: 46C09B3D38030C9FF2144B80BC4AF207754B359F00F484001FA09555E3C7A11450F650

Function 01962EE8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01962EF9

Memory Dump Source

Source File: 00000000.00000002.1725450998.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_Arrival Notice.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: e18f29100170897569c99617415c73002d6adf1c60c7723d1989a2a3156cfe5c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 9AE0E67494410EDFDB00DFB4D54D69D7BB4EF04301F100161FD05D2281D6309D508A72

Non-executed Functions

Function 00F09576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E89BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F0961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F0965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F0969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F096C9
SendMessageW.USER32 ref: 00F096F2
GetKeyState.USER32(00000011), ref: 00F0978B
GetKeyState.USER32(00000009), ref: 00F09798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F097AE
GetKeyState.USER32(00000010), ref: 00F097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F097E9
SendMessageW.USER32 ref: 00F09810
SendMessageW.USER32(?,00001030,?,00F07E95), ref: 00F09918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F0992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F09941
SetCapture.USER32(?), ref: 00F0994A
ClientToScreen.USER32(?,?), ref: 00F099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F099D6
ReleaseCapture.USER32 ref: 00F099E1
GetCursorPos.USER32(?), ref: 00F09A19
ScreenToClient.USER32(?,?), ref: 00F09A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F09A80
SendMessageW.USER32 ref: 00F09AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F09AEB
SendMessageW.USER32 ref: 00F09B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F09B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F09B4A
GetCursorPos.USER32(?), ref: 00F09B68
ScreenToClient.USER32(?,?), ref: 00F09B75
GetParent.USER32(?), ref: 00F09B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F09BFA
SendMessageW.USER32 ref: 00F09C2B
ClientToScreen.USER32(?,?), ref: 00F09C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F09CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F09CDE
SendMessageW.USER32 ref: 00F09D01
ClientToScreen.USER32(?,?), ref: 00F09D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F09D82

Part of subcall function 00E89944: GetWindowLongW.USER32(?,000000EB), ref: 00E89952

GetWindowLongW.USER32(?,000000F0), ref: 00F09E05

Strings

F, xrefs: 00F09D07
@GUI_DRAGID, xrefs: 00F0997D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: b77514e90b4384f0cf899ec0f48e7d23d0eda6934a39c48cb06aa05c1d06bcb9
Instruction ID: 4df59be4b57673accb1b7cb89ab06ed907718c5781886fabd42b655d101c9e51
Opcode Fuzzy Hash: b77514e90b4384f0cf899ec0f48e7d23d0eda6934a39c48cb06aa05c1d06bcb9
Instruction Fuzzy Hash: D9428235608205AFD724CF24CC44AAABBE5FF49320F144619FA59972E2E7B2D850FF51

Function 00F04873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00F048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00F04908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00F04927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00F0494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00F0495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00F0497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00F049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00F049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00F04A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F04A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F04A7E
IsMenu.USER32(?), ref: 00F04A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F04AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F04B20
GetWindowLongW.USER32(?,000000F0), ref: 00F04B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00F04BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00F04C82
wsprintfW.USER32 ref: 00F04CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F04CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F04CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F04D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F04D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F04D5A

Strings

%d/%02d/%02d, xrefs: 00F04CA8

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: b6251e850a3a715c07d42a1fcc8acd6b5d8f8787f9d8c97beab93cc7b7a73cd2
Instruction ID: e6650baf98d8a552a9f12bb710231d83f80e7d36734a62af3df8164669269d01
Opcode Fuzzy Hash: b6251e850a3a715c07d42a1fcc8acd6b5d8f8787f9d8c97beab93cc7b7a73cd2
Instruction Fuzzy Hash: 3E12B3B1A00219ABEB359F24CC49FAE7BE8FF45720F104219F619EB1D1DB74A941EB50

Function 00E8F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00E8F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ECF474
IsIconic.USER32(00000000), ref: 00ECF47D
ShowWindow.USER32(00000000,00000009), ref: 00ECF48A
SetForegroundWindow.USER32(00000000), ref: 00ECF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ECF4AA
GetCurrentThreadId.KERNEL32 ref: 00ECF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ECF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ECF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ECF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00ECF4DE
SetForegroundWindow.USER32(00000000), ref: 00ECF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ECF4F6
keybd_event.USER32(00000012,00000000), ref: 00ECF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ECF50B
keybd_event.USER32(00000012,00000000), ref: 00ECF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ECF519
keybd_event.USER32(00000012,00000000), ref: 00ECF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ECF528
keybd_event.USER32(00000012,00000000), ref: 00ECF52D
SetForegroundWindow.USER32(00000000), ref: 00ECF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00ECF557

Strings

Shell_TrayWnd, xrefs: 00ECF46F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7b46a611a60e1165edd6a4901d3c96e5ddb128c44db7d129ededcda9ae81dc89
Instruction ID: caff963bd87a32eb387ca38660901e2caf66c8c27aa7adab1a02c103da759301
Opcode Fuzzy Hash: 7b46a611a60e1165edd6a4901d3c96e5ddb128c44db7d129ededcda9ae81dc89
Instruction Fuzzy Hash: A3316171A4021CBBEB206BB55D4AFBF7E6DFB44B50F141129FA04F61D1C6B29D01AAA0

Function 00ED1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00ED16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ED170D
Part of subcall function 00ED16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ED173A
Part of subcall function 00ED16C3: GetLastError.KERNEL32 ref: 00ED174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00ED1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00ED12A8
CloseHandle.KERNEL32(?), ref: 00ED12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00ED12D1
GetProcessWindowStation.USER32 ref: 00ED12EA
SetProcessWindowStation.USER32(00000000), ref: 00ED12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00ED1310

Part of subcall function 00ED10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00ED11FC), ref: 00ED10D4
Part of subcall function 00ED10BF: CloseHandle.KERNEL32(?,?,00ED11FC), ref: 00ED10E9

Strings

default, xrefs: 00ED130B
, xrefs: 00ED125A
winsta0, xrefs: 00ED12CC

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: afeb121c5411967b39c3e2fd020f66e49f1a33418d549e03119632cd442d37ee
Instruction ID: 9d6ad29a56fca50dc694b9068495c9992c048ed9d9bedeb6850f8923f69d591d
Opcode Fuzzy Hash: afeb121c5411967b39c3e2fd020f66e49f1a33418d549e03119632cd442d37ee
Instruction Fuzzy Hash: 89818B71900209BFDF219FA4DC49BEE7BB9FF04708F14526AF924B62A0C7718946DB61

Function 00ED0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00ED1114
Part of subcall function 00ED10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00ED0B9B,?,?,?), ref: 00ED1120
Part of subcall function 00ED10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00ED0B9B,?,?,?), ref: 00ED112F
Part of subcall function 00ED10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00ED0B9B,?,?,?), ref: 00ED1136
Part of subcall function 00ED10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00ED114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00ED0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00ED0C00
GetLengthSid.ADVAPI32(?), ref: 00ED0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00ED0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00ED0C6D
GetLengthSid.ADVAPI32(?), ref: 00ED0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00ED0C8C
HeapAlloc.KERNEL32(00000000), ref: 00ED0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00ED0CB4
CopySid.ADVAPI32(00000000), ref: 00ED0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00ED0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00ED0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00ED0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00ED0D45
HeapFree.KERNEL32(00000000), ref: 00ED0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00ED0D55
HeapFree.KERNEL32(00000000), ref: 00ED0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00ED0D65
HeapFree.KERNEL32(00000000), ref: 00ED0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00ED0D78
HeapFree.KERNEL32(00000000), ref: 00ED0D7F

Part of subcall function 00ED1193: GetProcessHeap.KERNEL32(00000008,00ED0BB1,?,00000000,?,00ED0BB1,?), ref: 00ED11A1
Part of subcall function 00ED1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00ED0BB1,?), ref: 00ED11A8
Part of subcall function 00ED1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00ED0BB1,?), ref: 00ED11B7

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e8659ef5acc166111bdbd565a439a3ded3a1c2c8892f9ddbfa4e76f838718741
Instruction ID: f6d52746060ecd0a5c5848f3e9887973fc10120bd81b128cc13855716050c82c
Opcode Fuzzy Hash: e8659ef5acc166111bdbd565a439a3ded3a1c2c8892f9ddbfa4e76f838718741
Instruction Fuzzy Hash: D8715C7290020AAFDF10DFA5DC48BAEBBB9FF05314F184616E914F7291D771A906CBA0

Function 00EEEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00F0CC08), ref: 00EEEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00EEEB37
GetClipboardData.USER32(0000000D), ref: 00EEEB43
CloseClipboard.USER32 ref: 00EEEB4F
GlobalLock.KERNEL32(00000000), ref: 00EEEB87
CloseClipboard.USER32 ref: 00EEEB91
GlobalUnlock.KERNEL32(00000000), ref: 00EEEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00EEEBC9
GetClipboardData.USER32(00000001), ref: 00EEEBD1
GlobalLock.KERNEL32(00000000), ref: 00EEEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00EEEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00EEEC38
GetClipboardData.USER32(0000000F), ref: 00EEEC44
GlobalLock.KERNEL32(00000000), ref: 00EEEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00EEEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EEEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EEECD2
GlobalUnlock.KERNEL32(00000000), ref: 00EEECF3
CountClipboardFormats.USER32 ref: 00EEED14
CloseClipboard.USER32 ref: 00EEED59

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 83959a91f8a631496bedd805179c60863f9712c7d9d8064e652c8b4862dc1810
Instruction ID: 8a9b8635f83c212f8c36144c40721a801e61e7c9da22cce79cb9177f20b83def
Opcode Fuzzy Hash: 83959a91f8a631496bedd805179c60863f9712c7d9d8064e652c8b4862dc1810
Instruction Fuzzy Hash: D061B1342042499FD310EF25D885F6AB7E4BF84708F14A61DF45AA73A2DB31DD05DBA2

Function 00EE698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EE69BE
FindClose.KERNEL32(00000000), ref: 00EE6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EE6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EE6A75

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00EE6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00EE6ADF

Strings

%02d, xrefs: 00EE6C00, 00EE6C0A, 00EE6C5A, 00EE6CAA, 00EE6CFA, 00EE6D4A
%4d, xrefs: 00EE6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00EE6B32
%4d%02d%02d%02d%02d%02d, xrefs: 00EE6B6A
%03d, xrefs: 00EE6DA2

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: fd84ed753429a91f3b0199ffb4cd30eb2852ea8fc8c749e5729d10576117ef65
Instruction ID: 622ac99046ce12d1fc13304b7e52b47eac7a7b81bc380bf3db6b2b539281f866
Opcode Fuzzy Hash: fd84ed753429a91f3b0199ffb4cd30eb2852ea8fc8c749e5729d10576117ef65
Instruction Fuzzy Hash: C7D16071508344AFC714EBA0C892EABB7ECAF98704F04591DF589E7191EB74DA44CB62

Function 00EE9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EE9663
GetFileAttributesW.KERNEL32(?), ref: 00EE96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00EE96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00EE96D3
FindClose.KERNEL32(00000000), ref: 00EE96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00EE96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00EE974A
SetCurrentDirectoryW.KERNEL32(00F36B7C), ref: 00EE9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EE9772
FindClose.KERNEL32(00000000), ref: 00EE977F
FindClose.KERNEL32(00000000), ref: 00EE978F

Strings

*.*, xrefs: 00EE96F5

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 6b14cb24a3399f932f76a1a5d71ae83962ed27b9c1db3e57c85420d3ca55d38d
Instruction ID: 16d9f17db6dc522f2685d7e4c67863d3df37e0c2fdc2e3e7015d8576016a1d77
Opcode Fuzzy Hash: 6b14cb24a3399f932f76a1a5d71ae83962ed27b9c1db3e57c85420d3ca55d38d
Instruction Fuzzy Hash: 1831D33250025E7ADF20AFB5EC49ADE77ECAF49364F105166F905F20A2DB34DD449E50

Function 00EE979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EE97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00EE9819
FindClose.KERNEL32(00000000), ref: 00EE9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00EE9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00EE9890
SetCurrentDirectoryW.KERNEL32(00F36B7C), ref: 00EE98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EE98B8
FindClose.KERNEL32(00000000), ref: 00EE98C5
FindClose.KERNEL32(00000000), ref: 00EE98D5

Part of subcall function 00EDDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EDDB00

Strings

*.*, xrefs: 00EE983B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 26502dea065f8c6745d0b8e7d7c33d1d5b0132a8368de808b04c424774a5e2fc
Instruction ID: 3536b3375cdbba1c6bda45e224dd9841ff8f5c08e0542f5dd54ca51c65344e6b
Opcode Fuzzy Hash: 26502dea065f8c6745d0b8e7d7c33d1d5b0132a8368de808b04c424774a5e2fc
Instruction Fuzzy Hash: 7C31C33250065D6ADF24AFB5DC48ADE77ECAF46324F109155E810F21F2EB30DD459B64

Function 00EE8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EE8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00EE8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EE8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EE8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00EE8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00EE8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EE838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00EE8395

Strings

*.*, xrefs: 00EE839B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: a8f69c89c4d505d92ef59d5686b2e54a648669e7d9feb7f699c6d064e6487f76
Instruction ID: 3b0ee162dc9a91764b5f08a78524055a0ad1f94b6fd99aa08b841cd8c5a6e0b2
Opcode Fuzzy Hash: a8f69c89c4d505d92ef59d5686b2e54a648669e7d9feb7f699c6d064e6487f76
Instruction Fuzzy Hash: 88617A725083499FCB10EF61C8419AFB3E8FF89314F04991EF999A7251EB31E945CB92

Function 00EDD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E73A97,?,?,00E72E7F,?,?,?,00000000), ref: 00E73AC2

Part of subcall function 00EDE199: GetFileAttributesW.KERNEL32(?,00EDCF95), ref: 00EDE19A

FindFirstFileW.KERNEL32(?,?), ref: 00EDD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00EDD1DD
MoveFileW.KERNEL32(?,?), ref: 00EDD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EDD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EDD237

Part of subcall function 00EDD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00EDD21C,?,?), ref: 00EDD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00EDD253
FindClose.KERNEL32(00000000), ref: 00EDD264

Strings

\*.*, xrefs: 00EDD0CD, 00EDD0D6, 00EDD0EB

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 6199a3363576deae11a433e0f15daba79f82f26631c50357bfd7c8fd347f687c
Instruction ID: 3c745e7e476573d2ad24ad6b269b1adedca3b9a7c11f1f3755bf7f301bc117bc
Opcode Fuzzy Hash: 6199a3363576deae11a433e0f15daba79f82f26631c50357bfd7c8fd347f687c
Instruction Fuzzy Hash: C1615D3180510DAACF05EBE0DE92DEDB7B5EF55304F249166E405772A2EB306F0ADB61

Function 00EEED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EEED91
EmptyClipboard.USER32 ref: 00EEED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00EEEDAC
CloseClipboard.USER32 ref: 00EEEEA3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 4216a64c7d4b3039675701119daf61ec7aef4832515160e25277809719601f05
Instruction ID: 881e920c7e792830b563a38b0efdc577adaef27d9dec483270f271fb9d0a08e1
Opcode Fuzzy Hash: 4216a64c7d4b3039675701119daf61ec7aef4832515160e25277809719601f05
Instruction Fuzzy Hash: 2141BC35604255AFE320CF26D888B29BBE5FF44318F14D199E419AB7A2C732EC41CBD0

Function 00EDE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ED170D
Part of subcall function 00ED16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ED173A
Part of subcall function 00ED16C3: GetLastError.KERNEL32 ref: 00ED174A

ExitWindowsEx.USER32(?,00000000), ref: 00EDE932

Strings

SeShutdownPrivilege, xrefs: 00EDE902
@, xrefs: 00EDE925
, xrefs: 00EDE95C
, xrefs: 00EDE920

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 223a3e4da914eb4083dc5c35663cf485acb00043adf1c6c66eb91827757d77b1
Instruction ID: 9a941056795f88189ee9c53c6d975bc3a85b27779df2794749a0ee812cf7c467
Opcode Fuzzy Hash: 223a3e4da914eb4083dc5c35663cf485acb00043adf1c6c66eb91827757d77b1
Instruction Fuzzy Hash: 3F012672611215BBEB1433B49C9EBBF729CEB44754F141963FC02F63D1D5A05C429190

Function 00EF1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00EF1276
WSAGetLastError.WSOCK32 ref: 00EF1283
bind.WSOCK32(00000000,?,00000010), ref: 00EF12BA
WSAGetLastError.WSOCK32 ref: 00EF12C5
closesocket.WSOCK32(00000000), ref: 00EF12F4
listen.WSOCK32(00000000,00000005), ref: 00EF1303
WSAGetLastError.WSOCK32 ref: 00EF130D
closesocket.WSOCK32(00000000), ref: 00EF133C

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 09269d7569fbba17b8837de563229418abdbab84ba556a332cfe881690140fe2
Instruction ID: 6a7fcab2ce7b097835eafac1fd0fda5ea90c384dfe171d5219b1950f3361b085
Opcode Fuzzy Hash: 09269d7569fbba17b8837de563229418abdbab84ba556a332cfe881690140fe2
Instruction Fuzzy Hash: 7E418E31600148DFE710DF64C488B29BBE6BF46318F18D188E956AF2A6C771ED81DBE1

Function 00EDD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E73A97,?,?,00E72E7F,?,?,?,00000000), ref: 00E73AC2

Part of subcall function 00EDE199: GetFileAttributesW.KERNEL32(?,00EDCF95), ref: 00EDE19A

FindFirstFileW.KERNEL32(?,?), ref: 00EDD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EDD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EDD481
FindClose.KERNEL32(00000000), ref: 00EDD498
FindClose.KERNEL32(00000000), ref: 00EDD4A1

Strings

\*.*, xrefs: 00EDD3F2

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 55325b2e86734ebf57e79c91f25606662526374ff065f45245690b414330b07e
Instruction ID: e8cf0e92d13bd81ae841fb7a08af8f23ef5f08926819559be844076785351202
Opcode Fuzzy Hash: 55325b2e86734ebf57e79c91f25606662526374ff065f45245690b414330b07e
Instruction Fuzzy Hash: 8A31723100C3459BC304EF64DC518AF77E8FE91314F44AA2EF4E5A3291EB20AA09D763

Function 00EAE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00EAE645

Strings

1#IND, xrefs: 00EAF83D
1#INF, xrefs: 00EAF852
1#SNAN, xrefs: 00EAF844
1#QNAN, xrefs: 00EAF84B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 44355c68a082b1890ac7b81cd205071b87d2a6c3068567e35e0db4b937d49cf8
Instruction ID: 662b66be7ea216ad9046689ecca2bbdaba42f3eb61e2ac499ffa0dad79af54ea
Opcode Fuzzy Hash: 44355c68a082b1890ac7b81cd205071b87d2a6c3068567e35e0db4b937d49cf8
Instruction Fuzzy Hash: 43C22971E046288FDB25CF689D407EAB7B5EB8A305F1551EAD44DFB240E778AE818F40

Function 00EE648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EE64DC
CoInitialize.OLE32(00000000), ref: 00EE6639
CoCreateInstance.OLE32(00F0FCF8,00000000,00000001,00F0FB68,?), ref: 00EE6650
CoUninitialize.OLE32 ref: 00EE68D4

Strings

.lnk, xrefs: 00EE64BA, 00EE6524, 00EE65E0

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 85f57c7347a764e8cddd038a04691622ef3b7871504094539bce53d128b128be
Instruction ID: 21448e9b2f73599a711cd784a3acf4d9fae3c134faa32f7d5a0dfeada0522ad5
Opcode Fuzzy Hash: 85f57c7347a764e8cddd038a04691622ef3b7871504094539bce53d128b128be
Instruction Fuzzy Hash: 8CD15B71608345AFD314DF24C881D6BB7E8FF94344F10996DF5999B2A2EB30E909CB92

Function 00EF22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00EF22E8

Part of subcall function 00EEE4EC: GetWindowRect.USER32(?,?), ref: 00EEE504

GetDesktopWindow.USER32 ref: 00EF2312
GetWindowRect.USER32(00000000), ref: 00EF2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00EF2355
GetCursorPos.USER32(?), ref: 00EF2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EF23DF

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 6cc331e1abb0f9d19e722d79d99c10229fdd5f61b22a5a9660ad7a073ee98917
Instruction ID: 744522ae3af887ab99c12e1a65dbaeabe220e7e117df8d2413df8047709e6abc
Opcode Fuzzy Hash: 6cc331e1abb0f9d19e722d79d99c10229fdd5f61b22a5a9660ad7a073ee98917
Instruction Fuzzy Hash: 9131B0B250531A9BCB20DF54C849A6BBBA9FF84314F001A1DF685A7291D734E909CB91

Function 00EE9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00EE9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00EE9C8B

Part of subcall function 00EE3874: GetInputState.USER32 ref: 00EE38CB
Part of subcall function 00EE3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EE3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00EE9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00EE9C75

Strings

*.*, xrefs: 00EE9B5D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 4f0b4254ac9f4084eabbc12dbd77122f4705faea471f4e93a4e7370974ebeff7
Instruction ID: 3ffdbe33ba9d33d5b43b37caf64dd4ff5ffa9b64c525ecb7c3dff89f2d4c3716
Opcode Fuzzy Hash: 4f0b4254ac9f4084eabbc12dbd77122f4705faea471f4e93a4e7370974ebeff7
Instruction Fuzzy Hash: 8141607190024EAFDF14EF65C845AEEBBF8EF05314F249155E805B2192EB309E84DFA1

Function 00E8997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00E89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E89BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E89A4E
GetSysColor.USER32(0000000F), ref: 00E89B23
SetBkColor.GDI32(?,00000000), ref: 00E89B36

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 4c9ef5522bc3dd67009d3c1ef936744c127c3e8dba45f42db9ee5f19e7491471
Instruction ID: 850d2674422420a6ed923f4c5b26d79129346c54bf233b1230fb9a9d7f6a8035
Opcode Fuzzy Hash: 4c9ef5522bc3dd67009d3c1ef936744c127c3e8dba45f42db9ee5f19e7491471
Instruction Fuzzy Hash: BBA12B70508408BEE729BA3C8D48EBB369DEB42344B18214DF44EF69D3CA269D42E775

Function 00EF1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF304E: inet_addr.WSOCK32(?), ref: 00EF307A
Part of subcall function 00EF304E: _wcslen.LIBCMT ref: 00EF309B

socket.WSOCK32(00000002,00000002,00000011), ref: 00EF185D
WSAGetLastError.WSOCK32 ref: 00EF1884
bind.WSOCK32(00000000,?,00000010), ref: 00EF18DB
WSAGetLastError.WSOCK32 ref: 00EF18E6
closesocket.WSOCK32(00000000), ref: 00EF1915

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: fff3e51a9541e82e265ce37e1e036fc0ad68a1a5be542dbf0fbfb442292865c1
Instruction ID: e7d9548a0d7e692d3ddb48e4c01e216992a005609893d963ddac0398ecd37d0a
Opcode Fuzzy Hash: fff3e51a9541e82e265ce37e1e036fc0ad68a1a5be542dbf0fbfb442292865c1
Instruction Fuzzy Hash: 5651A071A00204AFDB14AF24C886F6A77E5AB44718F18D098FA1A6F293D671AD418BE1

Function 00F01C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F01CC0
IsWindowEnabled.USER32 ref: 00F01CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00F01CDB
IsIconic.USER32 ref: 00F01CE9
IsZoomed.USER32 ref: 00F01CF7

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d24ded16baed681f4e782a6ed0a2d2637e0b7240f2cf298a4dc3f13d3999db4d
Instruction ID: 76aa39b9555436729b4b604afdecc0b83129e2bb0aafa9d8b2a280cf09fd5026
Opcode Fuzzy Hash: d24ded16baed681f4e782a6ed0a2d2637e0b7240f2cf298a4dc3f13d3999db4d
Instruction Fuzzy Hash: 5E219431B402115FE7208F2AC884B6A7BE5FF85324F19C058E84A8B291CB75DC42FB90

Function 00E78060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00E783E8
VUUU, xrefs: 00E7843C
ERCP, xrefs: 00E7813C
VUUU, xrefs: 00E783FA
VUUU, xrefs: 00EB5DF0

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: ccbd9873106191b63d9f301e96ee2537acd91e8e6e6057272015eb58f1d86804
Instruction ID: 6eb1a1aca7b907f86828ba13af10b3ddfe2f52e6d26749eb5e84c9f06040599c
Opcode Fuzzy Hash: ccbd9873106191b63d9f301e96ee2537acd91e8e6e6057272015eb58f1d86804
Instruction Fuzzy Hash: CCA28E71E4021ACBDF24CF58C9447EEB7B1BB64318F2491AAD819B7285EB749D81CF90

Function 00E94CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00EA28E9,(,00E94CBE,00000000,00F388B8,0000000C,00E94E15,(,00000002,00000000,?,00EA28E9,00000003,00EA2DF7,?,?), ref: 00E94D09
TerminateProcess.KERNEL32(00000000,?,00EA28E9,00000003,00EA2DF7,?,?,?,00E9E6D1,?,00F38A48,00000010,00E74F4A,?,?,00000000), ref: 00E94D10
ExitProcess.KERNEL32 ref: 00E94D22

Strings

(, xrefs: 00E94CEA

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: (
API String ID: 1703294689-2063206799
Opcode ID: 954a7575b60a2d7dabeb21983498e1e53e9d2923b1c6c3ee16a931e32bd8aa0b
Instruction ID: c57b1ecd7dacaa735d27e0d7392fc27cf1cdfe6e2ce21438b18b462715581c6b
Opcode Fuzzy Hash: 954a7575b60a2d7dabeb21983498e1e53e9d2923b1c6c3ee16a931e32bd8aa0b
Instruction Fuzzy Hash: 00E0B6B5010148ABCF15AF64DD09E583B69FB46785B109114FC05AA162CB35ED42DA80

Function 00EFA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EFA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00EFA6BA

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

Process32NextW.KERNEL32(00000000,?), ref: 00EFA79C
CloseHandle.KERNEL32(00000000), ref: 00EFA7AB

Part of subcall function 00E8CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00EB3303,?), ref: 00E8CE8A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: bc03e27f97a825c3f30ba8d88bfee7e787ff6d898acdd8ace3f4b551c5bcaf74
Instruction ID: 4aae571a57a3a01c265596dbe809fd286477cf44132bddc0a56b7f965d1eb8b4
Opcode Fuzzy Hash: bc03e27f97a825c3f30ba8d88bfee7e787ff6d898acdd8ace3f4b551c5bcaf74
Instruction Fuzzy Hash: 49516F715083049FD714EF24C886E6BBBE8FF89754F04992DF599A7252EB30D904CB92

Function 00EDAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00EDAAAC
SetKeyboardState.USER32(00000080), ref: 00EDAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00EDAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00EDAB88

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2ec1627d68e622fba30951b2bd365cd4fcc58fa43beb417a10b7d76d727f0b56
Instruction ID: fb6f15c4100b14e6ff893e63427f44ccbac325f714f7cb774297ceffd497c0d6
Opcode Fuzzy Hash: 2ec1627d68e622fba30951b2bd365cd4fcc58fa43beb417a10b7d76d727f0b56
Instruction Fuzzy Hash: 22310930A40208AEEB358B648C05BFA7BA6EB45314F0C632BF585762D1D3758A83D792

Function 00EABB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EABB7F

Part of subcall function 00EA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EAD7D1,00000000,00000000,00000000,00000000,?,00EAD7F8,00000000,00000007,00000000,?,00EADBF5,00000000), ref: 00EA29DE
Part of subcall function 00EA29C8: GetLastError.KERNEL32(00000000,?,00EAD7D1,00000000,00000000,00000000,00000000,?,00EAD7F8,00000000,00000007,00000000,?,00EADBF5,00000000,00000000), ref: 00EA29F0

GetTimeZoneInformation.KERNEL32 ref: 00EABB91
WideCharToMultiByte.KERNEL32(00000000,?,00F4121C,000000FF,?,0000003F,?,?), ref: 00EABC09
WideCharToMultiByte.KERNEL32(00000000,?,00F41270,000000FF,?,0000003F,?,?,?,00F4121C,000000FF,?,0000003F,?,?), ref: 00EABC36

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: a78ffb509f62c436f3f405075d33209a548974bdb8987e1a0dd6df7f2737f142
Instruction ID: 2583b3ecc846d7c0d7910ec6ffb2cc2641f420a59148fc1eea8e1b31ddd29e0a
Opcode Fuzzy Hash: a78ffb509f62c436f3f405075d33209a548974bdb8987e1a0dd6df7f2737f142
Instruction Fuzzy Hash: 3C31C370904209DFCB10DF69DC80869BBB8FF5B320714525AE410EF2A2D770AE40DB50

Function 00EECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00EECE89
GetLastError.KERNEL32(?,00000000), ref: 00EECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00EECEFE

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 945eca03e7c81d6d9870d29f943d0c4dd966bbb745c0b05bbb89ce7d7fd4bc43
Instruction ID: fb1872ecf31617a573c81d8fe50231c2357cfcb841e2c503eb401c9857562802
Opcode Fuzzy Hash: 945eca03e7c81d6d9870d29f943d0c4dd966bbb745c0b05bbb89ce7d7fd4bc43
Instruction Fuzzy Hash: 1C21B071500309AFDB20DFA6C945BAA77F8EB00318F20541EE646E2161E774ED06DBA0

Function 00ED8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00ED82AA

Strings

|, xrefs: 00ED82DA
(, xrefs: 00ED82F0

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 8dd78fccfd4573ed1e283bc8bd220288bd60c2486488b493cf1717f090719365
Instruction ID: b5bf43c7aa06e153087051ff160e58f2602c6c58faea6674b762a7776b92207d
Opcode Fuzzy Hash: 8dd78fccfd4573ed1e283bc8bd220288bd60c2486488b493cf1717f090719365
Instruction Fuzzy Hash: 52323874A006059FCB28CF59C58196AB7F0FF48724B15D56EE49AEB3A1EB70E942CB40

Function 00EE5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EE5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00EE5D17
FindClose.KERNEL32(?), ref: 00EE5D5F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 609ef85e8aa367ea0a027f8ce710287a548e0e7854164ea735d300be1bf92f5f
Instruction ID: c436e2fd03d28c835365727d72707c2912d8fd21b37936406f25d6fe8f4b873a
Opcode Fuzzy Hash: 609ef85e8aa367ea0a027f8ce710287a548e0e7854164ea735d300be1bf92f5f
Instruction Fuzzy Hash: E451CC35600A459FC704CF28C894E9AB7E4FF4A318F24955EE95A9B3A2CB30ED04CF91

Function 00EA2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00EA271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EA2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00EA2731

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 67b8ba48fc44a9727b96fea71b3980bb6a7ea0db83b18e5ce03a164e0f06d2a4
Instruction ID: 6c79fd38f0594a6e82c878f795d1c4c1622da78640a5cc80148a17eaf4843153
Opcode Fuzzy Hash: 67b8ba48fc44a9727b96fea71b3980bb6a7ea0db83b18e5ce03a164e0f06d2a4
Instruction Fuzzy Hash: A731C47491121CABCF21DF68DC887D8B7B8BF08310F5052EAE91CA6260E7709F818F84

Function 00EE51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EE51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EE5238
SetErrorMode.KERNEL32(00000000), ref: 00EE52A1

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: dcb3dbaac7718e1e3fdfa18d638a5c413f163cb0a1c2b4ae9426047dbf6037bc
Instruction ID: 7f2353e363f3fc8b6b9e9e55e4d5a0b4396d31b00a3e75d78ac23dd4da9172bd
Opcode Fuzzy Hash: dcb3dbaac7718e1e3fdfa18d638a5c413f163cb0a1c2b4ae9426047dbf6037bc
Instruction Fuzzy Hash: 9B316F75A00518DFDB00DF54D884EADBBF5FF49318F188099E909AB3A2DB71E856CB90

Function 00ED16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E90668
Part of subcall function 00E8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E90685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ED170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ED173A
GetLastError.KERNEL32 ref: 00ED174A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 427234bbfde761a97b746186f41305e6b95767b14a0e4f5980a2a70af59bde9b
Instruction ID: fc8ea1bb8bf525ced0fac2e6fa4ff51ca92ca5e3774abba34adbc3e520795bd4
Opcode Fuzzy Hash: 427234bbfde761a97b746186f41305e6b95767b14a0e4f5980a2a70af59bde9b
Instruction Fuzzy Hash: 4B11C4B1400308BFD718AF54DD86E6AB7FDFB04714B20856EE45A63251EB70FC418B60

Function 00EDD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EDD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00EDD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EDD650

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 5088aef702f9f19e40ebaaeb2425e6f6163b5a62a6405bea612fadacd911ab74
Instruction ID: ade609dd03efe1f034eb90f38e87f1860072c9f2dfb25759f705531eb6b1d769
Opcode Fuzzy Hash: 5088aef702f9f19e40ebaaeb2425e6f6163b5a62a6405bea612fadacd911ab74
Instruction Fuzzy Hash: A6117CB1E05228BBDB108F949C44FAFBBBCEB45B50F108152F914E7290D2704A018BE1

Function 00ED1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00ED168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00ED16A1
FreeSid.ADVAPI32(?), ref: 00ED16B1

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e040841cd34ec88cc5cb8bc961b367f3016f27fd3e96169a0b7b165b7fbe19cd
Instruction ID: a9d376fc507df65f7b11dc074413df4d8d515d86cbd6233b9c3c019fe1f9ed9a
Opcode Fuzzy Hash: e040841cd34ec88cc5cb8bc961b367f3016f27fd3e96169a0b7b165b7fbe19cd
Instruction Fuzzy Hash: 2BF0F47195030DFBEF00DFE49D89AAEBBBCFB08604F5045A5E501E2181E774AA449A90

Function 00ECD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00ECD28C

Strings

X64, xrefs: 00ECD2A8

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 9bc3f7ae6ec8ec2f09ea2447edbbae711b634c9e98ca5ab4173ba17b8b2b3924
Instruction ID: 81f2cc8811ac458335c738b8cc5ae98e123a209b39b99ddce94e037b5b8332a6
Opcode Fuzzy Hash: 9bc3f7ae6ec8ec2f09ea2447edbbae711b634c9e98ca5ab4173ba17b8b2b3924
Instruction Fuzzy Hash: 9CD0C9B480511DEACB94DB90DC88DD9B37CFB04305F100255F10AF2050D73095499F10

Function 00E9CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 75168c03e93578f4129ed1e9f67475cf2a456160d7955cc48d26d3657d911d62
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 67021C71E002199BDF14DFA9C8806AEFBF1EF48314F25916AD919F7384D731AA41CB94

Function 00EE68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EE6918
FindClose.KERNEL32(00000000), ref: 00EE6961

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e9e30835198d2bf37d9556331c97760be81f6fcdf23b94afeebc971d9ddeeeb6
Instruction ID: 906c3b224cfc8ccdd9ad68847da945dcff3c9563122effacf3617a9f98864e57
Opcode Fuzzy Hash: e9e30835198d2bf37d9556331c97760be81f6fcdf23b94afeebc971d9ddeeeb6
Instruction Fuzzy Hash: 1311D0316042449FC710DF2AD884A1ABBE5FF85328F14C69DE4699F6A2C731EC05CB90

Function 00EE37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00EF4891,?,?,00000035,?), ref: 00EE37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00EF4891,?,?,00000035,?), ref: 00EE37F4

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 53fb36b5ea25b3373cae942ef2a3b1dd1bcef4d3844a52ee3ab549a2ece4ada0
Instruction ID: 71b8519ea0118cc660942b46d9bbb3ee297c9506edf641e5f5e537dbdd4889e2
Opcode Fuzzy Hash: 53fb36b5ea25b3373cae942ef2a3b1dd1bcef4d3844a52ee3ab549a2ece4ada0
Instruction Fuzzy Hash: EFF0E5B070522C2AEB2017B78C4DFEB7BAEEFC4761F000266F509E3281D9609904C6F0

Function 00EDB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00EDB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00EDB270

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 036e78fe19bf12783edc52fae922d1da1b6f69dbf2234f7fed8e20a781a48ed2
Instruction ID: 9006b8a66d1bb14760e844d55dbe0cee197d1c11e54b0be5f9124a48c80664e2
Opcode Fuzzy Hash: 036e78fe19bf12783edc52fae922d1da1b6f69dbf2234f7fed8e20a781a48ed2
Instruction Fuzzy Hash: 02F01D7590424DABDF059FA0C805BFE7BB4FF04309F04900AF955A51A1D77986129F94

Function 00ED10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00ED11FC), ref: 00ED10D4
CloseHandle.KERNEL32(?,?,00ED11FC), ref: 00ED10E9

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5e2f511fdd4bba4ab559f1cecc06d3e8181ef8b4953a3abb7e445befa5dcccb5
Instruction ID: 5213ddf7bcaf638da4596a0b4c60723ab8fa57642de1ae3f14f88cb1397c79df
Opcode Fuzzy Hash: 5e2f511fdd4bba4ab559f1cecc06d3e8181ef8b4953a3abb7e445befa5dcccb5
Instruction Fuzzy Hash: 7DE0BF72018610EEF7252B51FC05E7777E9FB04321F14892EF5A9905B1DB626CA0EB50

Function 00E7CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00EC0C40

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 3ed240d2a02e6bd0c5d801dceec6e48b69a9e5aa42c8283a5bd680a8d872026a
Instruction ID: 6980e26106956f54e475813bbca411097adfab7dcb6be62707e44acad8288ab0
Opcode Fuzzy Hash: 3ed240d2a02e6bd0c5d801dceec6e48b69a9e5aa42c8283a5bd680a8d872026a
Instruction Fuzzy Hash: D6326C70900218DBDF14DF94C985BEDB7B9BF05308F24A06DE90ABB291D736AE46CB51

Function 00EA676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EA6766,?,?,00000008,?,?,00EAFEFE,00000000), ref: 00EA6998

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b21c4c15b0094080beed460524a2cba79a47c481bf939d0cb96d7636395834de
Instruction ID: a952b20233060503c992bf46e2e7a298481b95d78df81be72834b964085c0fb9
Opcode Fuzzy Hash: b21c4c15b0094080beed460524a2cba79a47c481bf939d0cb96d7636395834de
Instruction Fuzzy Hash: 86B14E31510608DFD719CF28C48ABA57BE0FF4A368F299658E899DF2A1C735E991CB40

Function 00E8B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00EC851F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d5e325ad3747cea3b4ce2337cfe72d53e639d8e43a07df810081524b24c20662
Instruction ID: f2ce3a0af038081cc63e89cfcc8fdcfe05ee826710d1554b88af6331ad4b2b61
Opcode Fuzzy Hash: d5e325ad3747cea3b4ce2337cfe72d53e639d8e43a07df810081524b24c20662
Instruction Fuzzy Hash: 5F1260719002299BCB14DF58CA81BEEB7F5FF48710F14919AE849FB251EB709E81DB90

Function 00EEEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00EEEABD

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ba5aa11433eaea71d23f926568171d3d4c47f8d8dd78aaa7455dc96550c1cef3
Instruction ID: 0f2f72d4ac11af069d2fce253e5ad97722b23c8b3cbba0a0166665992a4e77b0
Opcode Fuzzy Hash: ba5aa11433eaea71d23f926568171d3d4c47f8d8dd78aaa7455dc96550c1cef3
Instruction Fuzzy Hash: 59E012312002049FC710DF5AD404E9AB7DDAF58764F00942AFC4DD7351D770A8408B90

Function 00E909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00E903EE), ref: 00E909DA

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b76b1ad1e653895914044975be5d578d43c5ee5077b7593e12b4445bcf04e0bc
Instruction ID: 5d3da503ca5ba5aa245a6a834a7315cb16d8c4a7eaf7f3d251901727885e9878
Opcode Fuzzy Hash: b76b1ad1e653895914044975be5d578d43c5ee5077b7593e12b4445bcf04e0bc
Instruction Fuzzy Hash:

Function 00E9781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00E9798B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: ad5da3e9c9e4725d777ba11b29cc047aa932211f63fdf4474ed69fa3e5984ec6
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 8251536163C7255ADF3C8528895E7FE63D9DB82308F18350AD8C2FB292C611DE4ED356

Function 00EA6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474c845c7eb080d329e070d5852db8422b6ef3fbfc53d10fdeb2f560b919ab62
Instruction ID: 8c228785d0317820b971d9cc7de11fc1a9213cfd78f2244c26d01c32ee24bdf3
Opcode Fuzzy Hash: 474c845c7eb080d329e070d5852db8422b6ef3fbfc53d10fdeb2f560b919ab62
Instruction Fuzzy Hash: 20326722D29F014DD7239634DC223367689AFBB3C5F16E337F85AB99A5EB29D4835100

Function 00E8CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ace3d62c2616b4da772a356d168616ab2ae2fed81117ff030a5ae6346e5d2f
Instruction ID: b083bdc84903897cc9a1e87fc94e43f11c676c329d956ac1102a143117703045
Opcode Fuzzy Hash: b0ace3d62c2616b4da772a356d168616ab2ae2fed81117ff030a5ae6346e5d2f
Instruction Fuzzy Hash: 84320931A001058BCF24DE28C694FBDBBA1EB46318F38A56ED45EB7291D236DD83DB51

Function 00E77920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa33f337e3d5ebbdd31e9cfaebefe653efa58cba5fed96f76d91467c482aeec
Instruction ID: 0a447f160a862160d70ec3eb3b6f35929743235d824711e988764215cc321886
Opcode Fuzzy Hash: 9fa33f337e3d5ebbdd31e9cfaebefe653efa58cba5fed96f76d91467c482aeec
Instruction Fuzzy Hash: EC22AE71A0060A9FDF14DF64C881AEEB3F6FF48304F14A529E85AB7291EB359D51CB50

Function 00E791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f7c088322563ae28ec58097ae6b0b9f3a1a2d38bb25f0b7a027b8b5fdc7473
Instruction ID: 8f05f98f4f420697e82adb8490783a8e8beb99ced51a6b6a8ef4feb1ecfa1999
Opcode Fuzzy Hash: 06f7c088322563ae28ec58097ae6b0b9f3a1a2d38bb25f0b7a027b8b5fdc7473
Instruction Fuzzy Hash: A30295B1A00209EBDB04DF64D881AEEB7F5FF44314F109169E81ABB391E731AE11CB91

Function 00EA9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fe5e6750c3a5320e6ca1a99d5fe8cd1523704ee2279b67c230db93c449b0cb
Instruction ID: 2f9593e258c71b94863b97b39c506efed0b1044b7499bdac9e79a1bd7acbe560
Opcode Fuzzy Hash: c6fe5e6750c3a5320e6ca1a99d5fe8cd1523704ee2279b67c230db93c449b0cb
Instruction Fuzzy Hash: 7CB1F320D2AF454DD72396398831336FA5CAFBB6D5F92D71BFC2674D22EB2286835140

Function 00E91C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: daae5ea9c5d814769ca826ceadadde2b4e26d3850e58c400a9655e9228d3315c
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F59177722090A34ADF2D463E857407EFFE15A923A631A17DED8F2EA1C5FE24C954D620

Function 00E919B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: c6c9c66d0e365f2b635b0f164f84ef3ac1598c05b1163aa091773eec437b6a88
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: F79155722090E34EDF2D467A857407EFFE15A923A631A27DED4F2EA1C1FE24C954D620

Function 00E97A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8854e5ae368e41637702119214a218672e96cf4bef67b105dc488f33e43aa1
Instruction ID: 70b3de3e2b3b69e07fa7c7dfde5b708af8f54efbc48d0422e5d6285472e879eb
Opcode Fuzzy Hash: 4a8854e5ae368e41637702119214a218672e96cf4bef67b105dc488f33e43aa1
Instruction Fuzzy Hash: 8A61A97123830966DE389A2C8D91BFE63D6DF41708F14391AE8C2FB291E6519E4EC355

Function 00E97CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc12ed7ce966c9491b007b31cc8ca119866732d99a5ce8077f9315d77cff920
Instruction ID: 0444a16ec47ef0dfa613d8af5ac12d0b44ef9eb48f9185758e0c5025599b93b3
Opcode Fuzzy Hash: adc12ed7ce966c9491b007b31cc8ca119866732d99a5ce8077f9315d77cff920
Instruction Fuzzy Hash: 5D6159B163C70996DE384A284951BFF23D4AF4370CF14395EE8C2FB291DA12AD4EC255

Function 00E91706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 36c75aced356fa56e99949f780fd0e10a079aa3b32bebfb841806bd41fba0de2
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 168185736080E309DF6E427A853407EFFE15A923A531A27DED4F2EB1C1EE24C554E620

Function 00E8D063 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26d6f516d9494ae6df557822e0ccb74a3051660b5dc87d53fbf29e193277917
Instruction ID: 40291c6e8febe57bcec9eeb5d12d6280ec666015907ba34bfe2687ef946dc501
Opcode Fuzzy Hash: d26d6f516d9494ae6df557822e0ccb74a3051660b5dc87d53fbf29e193277917
Instruction Fuzzy Hash: 85513E9298EAC51FD70362794C7A588BF748C2702079847EFC48146ED7E94E401FCB97

Function 01964248 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725450998.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: e2baa4bf226aa6d5ff307a9874e9fc530c9120997ac12783b46754000a24681c
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: A041D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Function 00EE2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad2ebff9310d6bdff94f86b8e61b0be17b50823d974e922a026fc6f8a97062f
Instruction ID: f9d70f34c1378c9db00ef812f99c6a0634e0874562540938065d6ad70d27803d
Opcode Fuzzy Hash: 8ad2ebff9310d6bdff94f86b8e61b0be17b50823d974e922a026fc6f8a97062f
Instruction Fuzzy Hash: 5F21EB323205158BDB28CF79C82367E73E9A764320F55862EE4A7D37D0DE35A904D780

Function 01964138 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725450998.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 93060faf61f6138295cbe44288b86aba4bc6a1126becb888e05bbe0db8d262c3
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 5A01A478A00209EFCB44DF98C5909AEF7FAFF98310F208599D809A7341D730AE51DB90

Function 019640D8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725450998.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 751c10c2deafe819111a347485629cbc54eca2d84d34cf36ac189fceea128bd5
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: CD019278A00209EFCB44DF98C5909AEF7FAFB58310F208599D809A7745D730AE41DB90

Function 01962AB8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725450998.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00EF2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EF2B30
DeleteObject.GDI32(00000000), ref: 00EF2B43
DestroyWindow.USER32 ref: 00EF2B52
GetDesktopWindow.USER32 ref: 00EF2B6D
GetWindowRect.USER32(00000000), ref: 00EF2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00EF2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00EF2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EF2CF8
GetClientRect.USER32(00000000,?), ref: 00EF2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00EF2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EF2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EF2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EF2D80
GlobalLock.KERNEL32(00000000), ref: 00EF2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EF2D98
GlobalUnlock.KERNEL32(00000000), ref: 00EF2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EF2DA8
GlobalFree.KERNEL32(00000000), ref: 00EF2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EF2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F0FC38,00000000), ref: 00EF2DDB
GlobalFree.KERNEL32(00000000), ref: 00EF2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00EF2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00EF2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EF2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EF303F

Strings

DISPLAY, xrefs: 00EF2EA2
static, xrefs: 00EF2D3A, 00EF2E91
, xrefs: 00EF2FC5
AutoIt v3, xrefs: 00EF2CF2

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 39fdf8563df6b7a2def5afb0fbd234fecc522a8d80df0bdcabfb78392f58b929
Instruction ID: a238e873028fb142833668ab342c88918e402ce36ab6974d80fc167367f256ce
Opcode Fuzzy Hash: 39fdf8563df6b7a2def5afb0fbd234fecc522a8d80df0bdcabfb78392f58b929
Instruction Fuzzy Hash: 03027075600209AFDB14DF64CC89EAE7BB9FF49714F108158FA19AB2A1CB70DD01DBA0

Function 00F070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F0712F
GetSysColorBrush.USER32(0000000F), ref: 00F07160
GetSysColor.USER32(0000000F), ref: 00F0716C
SetBkColor.GDI32(?,000000FF), ref: 00F07186
SelectObject.GDI32(?,?), ref: 00F07195
InflateRect.USER32(?,000000FF,000000FF), ref: 00F071C0
GetSysColor.USER32(00000010), ref: 00F071C8
CreateSolidBrush.GDI32(00000000), ref: 00F071CF
FrameRect.USER32(?,?,00000000), ref: 00F071DE
DeleteObject.GDI32(00000000), ref: 00F071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00F07230
FillRect.USER32(?,?,?), ref: 00F07262
GetWindowLongW.USER32(?,000000F0), ref: 00F07284

Part of subcall function 00F073E8: GetSysColor.USER32(00000012), ref: 00F07421
Part of subcall function 00F073E8: SetTextColor.GDI32(?,?), ref: 00F07425
Part of subcall function 00F073E8: GetSysColorBrush.USER32(0000000F), ref: 00F0743B
Part of subcall function 00F073E8: GetSysColor.USER32(0000000F), ref: 00F07446
Part of subcall function 00F073E8: GetSysColor.USER32(00000011), ref: 00F07463
Part of subcall function 00F073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F07471
Part of subcall function 00F073E8: SelectObject.GDI32(?,00000000), ref: 00F07482
Part of subcall function 00F073E8: SetBkColor.GDI32(?,00000000), ref: 00F0748B
Part of subcall function 00F073E8: SelectObject.GDI32(?,?), ref: 00F07498
Part of subcall function 00F073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00F074B7
Part of subcall function 00F073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F074CE
Part of subcall function 00F073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00F074DB

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 306a4861d6ccc6be7796fe48eda943398792de05f91d913e548c972c0515925b
Instruction ID: b463ea578ed7a4e1e3f8cb2d3707e8d7be69322ff6c6ecc151e290a278d10f60
Opcode Fuzzy Hash: 306a4861d6ccc6be7796fe48eda943398792de05f91d913e548c972c0515925b
Instruction Fuzzy Hash: 12A19172408305AFDB11AF60DC48E6BBBA9FF49320F140B19F962961E1D771E944EF91

Function 00E88D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00E88E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00EC6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00EC6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00EC6F43

Part of subcall function 00E88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E88BE8,?,00000000,?,?,?,?,00E88BBA,00000000,?), ref: 00E88FC5

SendMessageW.USER32(?,00001053), ref: 00EC6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00EC6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00EC6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00EC6FB7

Strings

0, xrefs: 00EC6DCF

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 4a448b5da56f22d0ae8625e819c638f0d56c0c7a79ed8c6e028c6977b4b2ab22
Instruction ID: 7290dfb211d8caf7798ac6aa4b57397f45b10f5b6afffaf5a568141b5dab3cc6
Opcode Fuzzy Hash: 4a448b5da56f22d0ae8625e819c638f0d56c0c7a79ed8c6e028c6977b4b2ab22
Instruction Fuzzy Hash: FE129C342002059FDB25DF14CE44FAABBE5FB49304F54556DF889AB261CB32EC92EB91

Function 00EF2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00EF273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EF286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00EF28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00EF28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00EF2900
GetClientRect.USER32(00000000,?), ref: 00EF290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00EF2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EF2964
GetStockObject.GDI32(00000011), ref: 00EF2974
SelectObject.GDI32(00000000,00000000), ref: 00EF2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00EF2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EF2991
DeleteDC.GDI32(00000000), ref: 00EF299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EF29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00EF29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00EF2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EF2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00EF2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00EF2A77
GetStockObject.GDI32(00000011), ref: 00EF2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EF2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00EF2A97

Strings

DISPLAY, xrefs: 00EF295A
static, xrefs: 00EF294F, 00EF2A71
msctls_progress32, xrefs: 00EF2A13
AutoIt v3, xrefs: 00EF28F8

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 06e631fcdf4f30abf1a5f90b67e3b2100f8cf14b4b286a856dbc6f1e0e56f374
Instruction ID: de4c369a2d9989d496f5524903a6882e3a63f105c71c04046482a32e78fcc6ee
Opcode Fuzzy Hash: 06e631fcdf4f30abf1a5f90b67e3b2100f8cf14b4b286a856dbc6f1e0e56f374
Instruction Fuzzy Hash: FFB14B75A40219AFEB14DFA8CC49FAE7BA9FB48714F108219FA15E72D0D770AD40DB90

Function 00EE4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EE4AED
GetDriveTypeW.KERNEL32(?,00F0CB68,?,\\.\,00F0CC08), ref: 00EE4BCA
SetErrorMode.KERNEL32(00000000,00F0CB68,?,\\.\,00F0CC08), ref: 00EE4D36

Strings

SCSI, xrefs: 00EE4C8A
CDROM, xrefs: 00EE4BFB
SSA, xrefs: 00EE4CA6
ATA, xrefs: 00EE4C98
Fibre, xrefs: 00EE4CAD
Unknown, xrefs: 00EE4BED, 00EE4C83
RAMDisk, xrefs: 00EE4BF4
MMC, xrefs: 00EE4CDE
SAS, xrefs: 00EE4CC9
Network, xrefs: 00EE4C02
iSCSI, xrefs: 00EE4CC2
Removable, xrefs: 00EE4C10, 00EE4C15
1394, xrefs: 00EE4C9F
ATAPI, xrefs: 00EE4C91
PhysicalDrive, xrefs: 00EE4B76
Fixed, xrefs: 00EE4C09
FileBackedVirtual, xrefs: 00EE4CEC
SSD, xrefs: 00EE4C4A
Virtual, xrefs: 00EE4CE5
RAID, xrefs: 00EE4CBB
USB, xrefs: 00EE4CB4
\\.\, xrefs: 00EE4B3F
SATA, xrefs: 00EE4CD0

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c46dc99524a686a7651286fe5be725f11d86ee8002496fa9b36ea7c152f0aa68
Instruction ID: 409054d6bdec8c7355fc404c2e63b51fcfaba5577ba14bfa01fd2530a57546fe
Opcode Fuzzy Hash: c46dc99524a686a7651286fe5be725f11d86ee8002496fa9b36ea7c152f0aa68
Instruction Fuzzy Hash: A461A2B160514DABDB04DF25C981AA9B7E0AB04354F34E015F80AFB6D2DB35ED41EB52

Function 00F073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F07421
SetTextColor.GDI32(?,?), ref: 00F07425
GetSysColorBrush.USER32(0000000F), ref: 00F0743B
GetSysColor.USER32(0000000F), ref: 00F07446
CreateSolidBrush.GDI32(?), ref: 00F0744B
GetSysColor.USER32(00000011), ref: 00F07463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F07471
SelectObject.GDI32(?,00000000), ref: 00F07482
SetBkColor.GDI32(?,00000000), ref: 00F0748B
SelectObject.GDI32(?,?), ref: 00F07498
InflateRect.USER32(?,000000FF,000000FF), ref: 00F074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00F074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F0752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F07554
InflateRect.USER32(?,000000FD,000000FD), ref: 00F07572
DrawFocusRect.USER32(?,?), ref: 00F0757D
GetSysColor.USER32(00000011), ref: 00F0758E
SetTextColor.GDI32(?,00000000), ref: 00F07596
DrawTextW.USER32(?,00F070F5,000000FF,?,00000000), ref: 00F075A8
SelectObject.GDI32(?,?), ref: 00F075BF
DeleteObject.GDI32(?), ref: 00F075CA
SelectObject.GDI32(?,?), ref: 00F075D0
DeleteObject.GDI32(?), ref: 00F075D5
SetTextColor.GDI32(?,?), ref: 00F075DB
SetBkColor.GDI32(?,?), ref: 00F075E5

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 4859bd21402b8e6989a23206ebff6de299e2299a54eabaa128ba7a1d64e46a9b
Instruction ID: c9de4944b7ace2d5dc4a984761786c69f64f07258d422b70a32e2b124e67f2bb
Opcode Fuzzy Hash: 4859bd21402b8e6989a23206ebff6de299e2299a54eabaa128ba7a1d64e46a9b
Instruction Fuzzy Hash: 2F617D76D00218AFDF01AFA4DC48AEE7FB9FB08320F144251F915AB2E1D771A940EB90

Function 00F00FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F01128
GetDesktopWindow.USER32 ref: 00F0113D
GetWindowRect.USER32(00000000), ref: 00F01144
GetWindowLongW.USER32(?,000000F0), ref: 00F01199
DestroyWindow.USER32(?), ref: 00F011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F0120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F0121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00F01232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00F01245
IsWindowVisible.USER32(00000000), ref: 00F012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00F012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00F012D0
GetWindowRect.USER32(00000000,?), ref: 00F012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00F0130E
GetMonitorInfoW.USER32(00000000,?), ref: 00F01328
CopyRect.USER32(?,?), ref: 00F0133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00F013AA

Strings

(, xrefs: 00F0131B
tooltips_class32, xrefs: 00F011E6
0, xrefs: 00F010D3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 27cdfdec03bb7fc9116f87d0219ad8bbb457260637b5bd1b1bccd2807c0132f2
Instruction ID: 69141cac76edd8635e29dd604a989a764b4c2e9afd9d0c9340ba525209f63bf8
Opcode Fuzzy Hash: 27cdfdec03bb7fc9116f87d0219ad8bbb457260637b5bd1b1bccd2807c0132f2
Instruction Fuzzy Hash: BCB18C71604341AFDB14DF64C884B6ABBE5FF84754F00891CF999AB2A1C731E845EB92

Function 00E88891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E88968
GetSystemMetrics.USER32(00000007), ref: 00E88970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E8899B
GetSystemMetrics.USER32(00000008), ref: 00E889A3
GetSystemMetrics.USER32(00000004), ref: 00E889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E88A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E88A3C
GetClientRect.USER32(00000000,000000FF), ref: 00E88A5A
GetStockObject.GDI32(00000011), ref: 00E88A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E88A81

Part of subcall function 00E8912D: GetCursorPos.USER32(?), ref: 00E89141
Part of subcall function 00E8912D: ScreenToClient.USER32(00000000,?), ref: 00E8915E
Part of subcall function 00E8912D: GetAsyncKeyState.USER32(00000001), ref: 00E89183
Part of subcall function 00E8912D: GetAsyncKeyState.USER32(00000002), ref: 00E8919D

SetTimer.USER32(00000000,00000000,00000028,00E890FC), ref: 00E88AA8

Strings

AutoIt v3 GUI, xrefs: 00E88A20

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c619cc862de5a037f66de35a1d27e01f35a6a4995b9312cea4e172ff7387f1c1
Instruction ID: 7e250294e5620b7757cdfcf141c9301a1198b230efc2e797703ba28565f985b2
Opcode Fuzzy Hash: c619cc862de5a037f66de35a1d27e01f35a6a4995b9312cea4e172ff7387f1c1
Instruction Fuzzy Hash: CFB17B75A00209AFDF14EFA8CD45BAE3BB5FB48314F14522AFE19A7290DB34E841DB51

Function 00ED0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00ED1114
Part of subcall function 00ED10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00ED0B9B,?,?,?), ref: 00ED1120
Part of subcall function 00ED10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00ED0B9B,?,?,?), ref: 00ED112F
Part of subcall function 00ED10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00ED0B9B,?,?,?), ref: 00ED1136
Part of subcall function 00ED10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00ED114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00ED0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00ED0E29
GetLengthSid.ADVAPI32(?), ref: 00ED0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00ED0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00ED0E96
GetLengthSid.ADVAPI32(?), ref: 00ED0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00ED0EB5
HeapAlloc.KERNEL32(00000000), ref: 00ED0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00ED0EDD
CopySid.ADVAPI32(00000000), ref: 00ED0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00ED0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00ED0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00ED0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00ED0F6E
HeapFree.KERNEL32(00000000), ref: 00ED0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00ED0F7E
HeapFree.KERNEL32(00000000), ref: 00ED0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00ED0F8E
HeapFree.KERNEL32(00000000), ref: 00ED0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00ED0FA1
HeapFree.KERNEL32(00000000), ref: 00ED0FA8

Part of subcall function 00ED1193: GetProcessHeap.KERNEL32(00000008,00ED0BB1,?,00000000,?,00ED0BB1,?), ref: 00ED11A1
Part of subcall function 00ED1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00ED0BB1,?), ref: 00ED11A8
Part of subcall function 00ED1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00ED0BB1,?), ref: 00ED11B7

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8dbe52faeebac34737e75669feff317e26795b02b7d8f1ffcc38bd2a2d525663
Instruction ID: 5f5ccb91fa9500bf8848d6d750e27b41710175eef73b79d6ebf1266cfe9119d1
Opcode Fuzzy Hash: 8dbe52faeebac34737e75669feff317e26795b02b7d8f1ffcc38bd2a2d525663
Instruction Fuzzy Hash: FB71417290020AABDF209FA5DC48FEEBBB8FF04314F185216F955F6291D7719906CBA0

Function 00EFC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EFC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F0CC08,00000000,?,00000000,?,?), ref: 00EFC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00EFC5A4
_wcslen.LIBCMT ref: 00EFC5F4
_wcslen.LIBCMT ref: 00EFC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00EFC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00EFC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00EFC84D
RegCloseKey.ADVAPI32(?), ref: 00EFC881
RegCloseKey.ADVAPI32(00000000), ref: 00EFC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00EFC960

Strings

REG_BINARY, xrefs: 00EFC913
REG_SZ, xrefs: 00EFC644
REG_QWORD, xrefs: 00EFC8C3
REG_DWORD, xrefs: 00EFC804
REG_MULTI_SZ, xrefs: 00EFC6F5
REG_EXPAND_SZ, xrefs: 00EFC5CD

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 8f06848909b5596f807ba9ca79129a967d1af5bd3b0e4760310ff3b2d4c600e9
Instruction ID: 3067986a58e7a3974ce6b9c20c0e93b04ba55a657d265c5a6721fb91d8e1eee5
Opcode Fuzzy Hash: 8f06848909b5596f807ba9ca79129a967d1af5bd3b0e4760310ff3b2d4c600e9
Instruction Fuzzy Hash: D21259756042059FDB14DF24C981A2AB7E5FF88714F24985CF98AAB3A2DB31FD41CB81

Function 00F0091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F009C6
_wcslen.LIBCMT ref: 00F00A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F00A54
_wcslen.LIBCMT ref: 00F00A8A
_wcslen.LIBCMT ref: 00F00B06
_wcslen.LIBCMT ref: 00F00B81

Part of subcall function 00E8F9F2: _wcslen.LIBCMT ref: 00E8F9FD

Part of subcall function 00ED2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ED2BFA

Strings

GETSELECTED, xrefs: 00F00C4E
GETTEXT, xrefs: 00F00C97
CHECK, xrefs: 00F00A85, 00F00AA0
COLLAPSE, xrefs: 00F00B01, 00F00B1C
GETITEMCOUNT, xrefs: 00F00C1E
EXPAND, xrefs: 00F00BF8
ISCHECKED, xrefs: 00F00CE1
GETTOTALCOUNT, xrefs: 00F009F2, 00F00A17
EXISTS, xrefs: 00F00B7C, 00F00B97
UNCHECK, xrefs: 00F00D3E
SELECT, xrefs: 00F00D11

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 6acdaad7dd0b2f07931b60923d10d2b54a547a0011c0bd55e017eaa67192806f
Instruction ID: 69708099391e1a54b9dff471ea419bd07a48acac831723ec708496d95a3a8033
Opcode Fuzzy Hash: 6acdaad7dd0b2f07931b60923d10d2b54a547a0011c0bd55e017eaa67192806f
Instruction Fuzzy Hash: 41E18E716083019FC714EF24C450A2AB7E2FF99324F14895DF899AB3A2DB31ED45EB91

Function 00EFC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EFB6AE,?,?), ref: 00EFC9B5
_wcslen.LIBCMT ref: 00EFC9F1
_wcslen.LIBCMT ref: 00EFCA68
_wcslen.LIBCMT ref: 00EFCA9E
_wcslen.LIBCMT ref: 00EFCAF9
_wcslen.LIBCMT ref: 00EFCB2F
_wcslen.LIBCMT ref: 00EFCB7F

Strings

HKU, xrefs: 00EFCBF0
HKLM, xrefs: 00EFCA98, 00EFCA9D
HKEY_CURRENT_CONFIG, xrefs: 00EFCB79, 00EFCB7E
HKCR, xrefs: 00EFCB29, 00EFCB2E
HKEY_LOCAL_MACHINE, xrefs: 00EFCA62, 00EFCA67
HKEY_USERS, xrefs: 00EFCBDF
HKEY_CLASSES_ROOT, xrefs: 00EFCAF3, 00EFCAF8
HKCC, xrefs: 00EFCBAC
HKEY_CURRENT_USER, xrefs: 00EFCBBD
HKCU, xrefs: 00EFCBCE

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 2924a8d8e767a6ae2a428c1942b4e7129347d981e2c3b20e94ddc5949d118f7d
Instruction ID: 47969c470fb74d295bc30687019567e9a364aa1cd1e7a65c6e2655324806b93d
Opcode Fuzzy Hash: 2924a8d8e767a6ae2a428c1942b4e7129347d981e2c3b20e94ddc5949d118f7d
Instruction Fuzzy Hash: 1E71F47260052E8BCB20EE7CCA515FA3391AFA0768F352524FE5AB7285E631DD45D3A0

Function 00F0833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F0835A
_wcslen.LIBCMT ref: 00F0836E
_wcslen.LIBCMT ref: 00F08391
_wcslen.LIBCMT ref: 00F083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00F0361A,?), ref: 00F0844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F08487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F08501
FreeLibrary.KERNEL32(?), ref: 00F0850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F0851D
DestroyIcon.USER32(?), ref: 00F0852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F08549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F08555

Strings

.exe, xrefs: 00F08388
.icl, xrefs: 00F08368
.dll, xrefs: 00F083AB

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 49b456f50860e9771ad17add572492a351c96631814fff2ddec730cc52ee3470
Instruction ID: 523e08d736c119909fe9b83efdfcb36e545880dc51ac78be38a34bc6f0416d66
Opcode Fuzzy Hash: 49b456f50860e9771ad17add572492a351c96631814fff2ddec730cc52ee3470
Instruction Fuzzy Hash: B861C0B1900219BAEB14DF64CC85FBE77A8BF04B61F104609F855E61D1DB74A982EBA0

Function 00E77778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 00EB5169
#comments-start, xrefs: 00E7785F, 00E778B1
#cs, xrefs: 00E77873, 00E778C5
Unterminated group of comments, xrefs: 00EB528C
#notrayicon, xrefs: 00E777E7
#requireadmin, xrefs: 00E777FF
", xrefs: 00EB5153
#pragma compile, xrefs: 00E777D3
#OnAutoItStartRegister, xrefs: 00E77817
#include, xrefs: 00E77847
#ce, xrefs: 00E778ED
Bad directive syntax error, xrefs: 00EB519A
Cannot parse #include, xrefs: 00EB5279
#comments-end, xrefs: 00E778D9
#include-once, xrefs: 00E7782F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 446f29fd94b4f53a82204c52cbe6c0efe211f09fb3acc09bce97c070cd39353f
Instruction ID: 7c795b7a1f1a24990ba8018cb5880f644392c9b1d780c351490d88863a8a019b
Opcode Fuzzy Hash: 446f29fd94b4f53a82204c52cbe6c0efe211f09fb3acc09bce97c070cd39353f
Instruction Fuzzy Hash: F481F4B1604605BBDB25AF64CC82FEF37E8AF15300F04A025F94CBA196EB74D911D7A2

Function 00EE3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00EE3EF8
_wcslen.LIBCMT ref: 00EE3F03
_wcslen.LIBCMT ref: 00EE3F5A
_wcslen.LIBCMT ref: 00EE3F98
GetDriveTypeW.KERNEL32(?), ref: 00EE3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EE401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EE4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EE4087

Strings

wait, xrefs: 00EE4044
closed, xrefs: 00EE3F08, 00EE3F2D, 00EE3F46, 00EE3F7E, 00EE3F97
type cdaudio alias cd wait, xrefs: 00EE4001
close cd wait, xrefs: 00EE4072
close, xrefs: 00EE3EFE, 00EE3F18
open , xrefs: 00EE3FE5
set cd door , xrefs: 00EE4028
open, xrefs: 00EE3F54, 00EE3F59

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: ee13a1fe3389acd2f79ffcdc14c493fd19560cc8fbc3cb9ccde7cb886a8555b7
Instruction ID: 51bcb06af0c60ce945840361acd5388407f428335cb86a9cfc147c7b74af5bda
Opcode Fuzzy Hash: ee13a1fe3389acd2f79ffcdc14c493fd19560cc8fbc3cb9ccde7cb886a8555b7
Instruction Fuzzy Hash: F671D2716042059FC710EF35C8818AAB7F4EF94768F10A92DF895A7292EB30DE45CB92

Function 00ED5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00ED5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00ED5A40
SetWindowTextW.USER32(?,?), ref: 00ED5A57
GetDlgItem.USER32(?,000003EA), ref: 00ED5A6C
SetWindowTextW.USER32(00000000,?), ref: 00ED5A72
GetDlgItem.USER32(?,000003E9), ref: 00ED5A82
SetWindowTextW.USER32(00000000,?), ref: 00ED5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00ED5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00ED5AC3
GetWindowRect.USER32(?,?), ref: 00ED5ACC
_wcslen.LIBCMT ref: 00ED5B33
SetWindowTextW.USER32(?,?), ref: 00ED5B6F
GetDesktopWindow.USER32 ref: 00ED5B75
GetWindowRect.USER32(00000000), ref: 00ED5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00ED5BD3
GetClientRect.USER32(?,?), ref: 00ED5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00ED5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00ED5C2F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: d76b64f91c4d3f18cf299a08134722f06e8018d620de7eff0d2dad6d1609bc38
Instruction ID: c0cd4ad1d3bc4c9b1a979041b00930a267511f2ca01954162c4fc6d267098659
Opcode Fuzzy Hash: d76b64f91c4d3f18cf299a08134722f06e8018d620de7eff0d2dad6d1609bc38
Instruction Fuzzy Hash: B5718F32900B099FDB20DFA8CE45AAEBBF5FF48704F10561AE546B26A0D771E941DB50

Function 00E900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00E900C6

Part of subcall function 00E900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F4070C,00000FA0,D07A849A,?,?,?,?,00EB23B3,000000FF), ref: 00E9011C
Part of subcall function 00E900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00EB23B3,000000FF), ref: 00E90127
Part of subcall function 00E900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00EB23B3,000000FF), ref: 00E90138
Part of subcall function 00E900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00E9014E
Part of subcall function 00E900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00E9015C
Part of subcall function 00E900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00E9016A
Part of subcall function 00E900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E90195
Part of subcall function 00E900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E901A0

___scrt_fastfail.LIBCMT ref: 00E900E7

Part of subcall function 00E900A3: __onexit.LIBCMT ref: 00E900A9

Strings

kernel32.dll, xrefs: 00E90133
InitializeConditionVariable, xrefs: 00E90148
SleepConditionVariableCS, xrefs: 00E90154
WakeAllConditionVariable, xrefs: 00E90162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00E90122

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 682ab82f756fd5f212da33e892936d57aa1544863b71bd88b46533b52c579151
Instruction ID: e8fadfb47dab93d2ad8f6a679c64717b6fc8530f3125ba803cef55e7ab312b48
Opcode Fuzzy Hash: 682ab82f756fd5f212da33e892936d57aa1544863b71bd88b46533b52c579151
Instruction Fuzzy Hash: 17212932A46715AFDB206BA4AC09B6A77D4EB05B61F40122AFD05F36D1DF749800AA92

Function 00ED30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ED318D
_wcslen.LIBCMT ref: 00ED31F8

Strings

TEXT, xrefs: 00ED347C
REGEXPCLASS, xrefs: 00ED3255, 00ED3266
INSTANCE, xrefs: 00ED3453
CLASSNN, xrefs: 00ED31F3, 00ED3204
CLASS, xrefs: 00ED3188, 00ED31A5
NAME, xrefs: 00ED3335, 00ED3346

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: ebdee061a7d224e92522921af17d96ad0a103b01ba50406c44d93464a0b5422a
Instruction ID: c1963f0df37bde9554e55d2074bd4217b7d96b2753a52518d7aa97205f978132
Opcode Fuzzy Hash: ebdee061a7d224e92522921af17d96ad0a103b01ba50406c44d93464a0b5422a
Instruction Fuzzy Hash: EAE1F532A00516ABCF189FB4C4516EDFBB0FF94714F14A12BE466B7350DB30AE469791

Function 00EE44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00F0CC08), ref: 00EE4527
_wcslen.LIBCMT ref: 00EE453B
_wcslen.LIBCMT ref: 00EE4599
_wcslen.LIBCMT ref: 00EE45F4
_wcslen.LIBCMT ref: 00EE463F
_wcslen.LIBCMT ref: 00EE46A7

Part of subcall function 00E8F9F2: _wcslen.LIBCMT ref: 00E8F9FD

GetDriveTypeW.KERNEL32(?,00F36BF0,00000061), ref: 00EE4743

Strings

unknown, xrefs: 00EE4708
all, xrefs: 00EE4531, 00EE4536
fixed, xrefs: 00EE4635, 00EE463A
cdrom, xrefs: 00EE458F, 00EE4594
network, xrefs: 00EE469D, 00EE46A2
removable, xrefs: 00EE45EA, 00EE45EF
ramdisk, xrefs: 00EE46F1

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: e5d01ab6c93b5ff578c27263ccbde5e8353a7f9cdb69730cfbdcbdf21e4a5207
Instruction ID: 6c69e3d7a15a38c8cb1cf388687fb16d6489179c8a1ad99b30f7e0c229a56729
Opcode Fuzzy Hash: e5d01ab6c93b5ff578c27263ccbde5e8353a7f9cdb69730cfbdcbdf21e4a5207
Instruction Fuzzy Hash: 67B123B16083469FC710DF29C890A6AB7E5BFE5724F10A91DF09AE72D1D730D844CB92

Function 00EFAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EFB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EFB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EFB1D4
_wcslen.LIBCMT ref: 00EFB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EFB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EFB236
_wcslen.LIBCMT ref: 00EFB332

Part of subcall function 00EE05A7: GetStdHandle.KERNEL32(000000F6), ref: 00EE05C6

_wcslen.LIBCMT ref: 00EFB34B
_wcslen.LIBCMT ref: 00EFB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EFB3B6
GetLastError.KERNEL32(00000000), ref: 00EFB407
CloseHandle.KERNEL32(?), ref: 00EFB439
CloseHandle.KERNEL32(00000000), ref: 00EFB44A
CloseHandle.KERNEL32(00000000), ref: 00EFB45C
CloseHandle.KERNEL32(00000000), ref: 00EFB46E
CloseHandle.KERNEL32(?), ref: 00EFB4E3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 47b8de0962c48db7a2932522b34918f87ce6a0e26777c3d09d0800aeb5ab9acd
Instruction ID: d26bb3d83af254cfaecb8ef5b6111c4d12f452936effaf2cd12b7b1c0191e922
Opcode Fuzzy Hash: 47b8de0962c48db7a2932522b34918f87ce6a0e26777c3d09d0800aeb5ab9acd
Instruction Fuzzy Hash: D9F1BC31608344DFCB14EF24C881B6EBBE5AF85714F18955DF999AB2A2DB31EC40CB52

Function 00E7326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00F41990), ref: 00EB2F8D
GetMenuItemCount.USER32(00F41990), ref: 00EB303D
GetCursorPos.USER32(?), ref: 00EB3081
SetForegroundWindow.USER32(00000000), ref: 00EB308A
TrackPopupMenuEx.USER32(00F41990,00000000,?,00000000,00000000,00000000), ref: 00EB309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EB30A9

Strings

0, xrefs: 00E7327D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 9bb79562aa04cb4396c340482595999430b0f429b3c30a5c4661b01a7e368cca
Instruction ID: e00e8cd04f9967933a27793289396b9a239b92e12c0ee2a7e6425ac1b312fbfa
Opcode Fuzzy Hash: 9bb79562aa04cb4396c340482595999430b0f429b3c30a5c4661b01a7e368cca
Instruction Fuzzy Hash: EE71F770640205BEEB219F25CC49FEBBFA8FF05368F205216F6187A1E1C7B1A910E790

Function 00F06CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F06DEB

Part of subcall function 00E76B57: _wcslen.LIBCMT ref: 00E76B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F06E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F06E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F06E94
DestroyWindow.USER32(?), ref: 00F06EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E70000,00000000), ref: 00F06EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F06EFD
GetDesktopWindow.USER32 ref: 00F06F16
GetWindowRect.USER32(00000000), ref: 00F06F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F06F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F06F4D

Part of subcall function 00E89944: GetWindowLongW.USER32(?,000000EB), ref: 00E89952

Strings

tooltips_class32, xrefs: 00F06E58, 00F06EDD
0, xrefs: 00F06D98

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: fde794aedc8b9e4a0dd73e4906ff30f21d0addeb38856fde36d1678a8cee51bf
Instruction ID: ebc869a572032623a6d8271e3aa11f555c843710aef04e732d09f96c21ecf1a3
Opcode Fuzzy Hash: fde794aedc8b9e4a0dd73e4906ff30f21d0addeb38856fde36d1678a8cee51bf
Instruction Fuzzy Hash: EB719674500345AFEB21CF18DC44BAABBE9FB89314F04091DFA89C72A1D731E956EB12

Function 00F0911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E89BB2

DragQueryPoint.SHELL32(?,?), ref: 00F09147

Part of subcall function 00F07674: ClientToScreen.USER32(?,?), ref: 00F0769A
Part of subcall function 00F07674: GetWindowRect.USER32(?,?), ref: 00F07710
Part of subcall function 00F07674: PtInRect.USER32(?,?,00F08B89), ref: 00F07720

SendMessageW.USER32(?,000000B0,?,?), ref: 00F091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F09225
SendMessageW.USER32(?,000000B0,?,?), ref: 00F0923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00F09255
SendMessageW.USER32(?,000000B1,?,?), ref: 00F09277
DragFinish.SHELL32(?), ref: 00F0927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F09371

Strings

@GUI_DRAGFILE, xrefs: 00F09320
@GUI_DROPID, xrefs: 00F0929E
@GUI_DRAGID, xrefs: 00F092E9

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: bf226936ba1c0608cea698cede36e5aa228fce7278a77f31380c4b6249383c50
Instruction ID: ac9bff170d3d16ba2291849430b490b5ffaf8c754bff9fb52a435edbe59d29b8
Opcode Fuzzy Hash: bf226936ba1c0608cea698cede36e5aa228fce7278a77f31380c4b6249383c50
Instruction Fuzzy Hash: 23616971108304AFD711EF60DC85DAFBBE8FF89350F104A2DF995921A1DB709A49DB92

Function 00EEC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EEC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EEC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EEC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EEC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EEC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EEC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EEC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EEC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EEC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EEC5F0
InternetCloseHandle.WININET(00000000), ref: 00EEC5FB

Strings

, xrefs: 00EEC575

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: c3b46393f47bb63c8c0126a79a41cb03e9df00fba00510bd15f590c200311b7e
Instruction ID: 2528cde9c474dc7a793d4df9123b3ed3365de33ac12f153a907272151dac46ad
Opcode Fuzzy Hash: c3b46393f47bb63c8c0126a79a41cb03e9df00fba00510bd15f590c200311b7e
Instruction Fuzzy Hash: AA516DB050034DBFDB219F62C948AAB7BFCFF08748F10551AF945A6250DB30E949EBA0

Function 00F0856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00F08592
GetFileSize.KERNEL32(00000000,00000000), ref: 00F085A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00F085AD
CloseHandle.KERNEL32(00000000), ref: 00F085BA
GlobalLock.KERNEL32(00000000), ref: 00F085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00F085D7
GlobalUnlock.KERNEL32(00000000), ref: 00F085E0
CloseHandle.KERNEL32(00000000), ref: 00F085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00F085F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F0FC38,?), ref: 00F08611
GlobalFree.KERNEL32(00000000), ref: 00F08621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00F08641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00F08671
DeleteObject.GDI32(00000000), ref: 00F08699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F086AF

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7bb7d8f05117f375d2a5c5293d68889379b2db2fd0d3c72ad3d09b21201b3404
Instruction ID: 42606cfd3fbe0f8716da180340a97439cc41c5058b159a4167685aacb0813816
Opcode Fuzzy Hash: 7bb7d8f05117f375d2a5c5293d68889379b2db2fd0d3c72ad3d09b21201b3404
Instruction Fuzzy Hash: 5C414B75600208EFDB119FA5CC88EAA7BB9FF89761F148158F945E72A0DB319D01EB60

Function 00EE14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00EE1502
VariantCopy.OLEAUT32(?,?), ref: 00EE150B
VariantClear.OLEAUT32(?), ref: 00EE1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00EE15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00EE1657
VariantInit.OLEAUT32(?), ref: 00EE1708
SysFreeString.OLEAUT32(?), ref: 00EE178C
VariantClear.OLEAUT32(?), ref: 00EE17D8
VariantClear.OLEAUT32(?), ref: 00EE17E7
VariantInit.OLEAUT32(00000000), ref: 00EE1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00EE1625
Default, xrefs: 00EE16AF

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 5f7fe7c087843112bd4d4ac5edbe156e626f3e3c921ff67cd4e62184b019ab05
Instruction ID: 85f326cf05ee943fb5e7308b331948bb5b476fe4fea19e8f0f1b85667f379742
Opcode Fuzzy Hash: 5f7fe7c087843112bd4d4ac5edbe156e626f3e3c921ff67cd4e62184b019ab05
Instruction Fuzzy Hash: 80D10131A00149DBDB10EF66D884BBDB7F5BF45700F24919AE84ABB185DB30DC88DB92

Function 00EFB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

Part of subcall function 00EFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EFB6AE,?,?), ref: 00EFC9B5
Part of subcall function 00EFC998: _wcslen.LIBCMT ref: 00EFC9F1
Part of subcall function 00EFC998: _wcslen.LIBCMT ref: 00EFCA68
Part of subcall function 00EFC998: _wcslen.LIBCMT ref: 00EFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EFB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EFB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00EFB80A
RegCloseKey.ADVAPI32(?), ref: 00EFB87E
RegCloseKey.ADVAPI32(?), ref: 00EFB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00EFB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EFB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00EFB922
FreeLibrary.KERNEL32(00000000), ref: 00EFB983
RegCloseKey.ADVAPI32(00000000), ref: 00EFB994

Strings

advapi32.dll, xrefs: 00EFB8ED
RegDeleteKeyExW, xrefs: 00EFB8FE

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 405ef54c0dbc352db1fc9ba834da3ccb3413f15fde1b05a1a381fbb01f451634
Instruction ID: df8f0c22d7f1cb6f000aa2f140a9cc5062676ad36140061abfda81a9e81504b4
Opcode Fuzzy Hash: 405ef54c0dbc352db1fc9ba834da3ccb3413f15fde1b05a1a381fbb01f451634
Instruction Fuzzy Hash: 78C19F30204245AFD714DF14C495F2ABBE5BF84308F24955CF59AAB2A2CB71ED45CB91

Function 00EF255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EF25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00EF25E8
CreateCompatibleDC.GDI32(?), ref: 00EF25F4
SelectObject.GDI32(00000000,?), ref: 00EF2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00EF266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00EF26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00EF26D0
SelectObject.GDI32(?,?), ref: 00EF26D8
DeleteObject.GDI32(?), ref: 00EF26E1
DeleteDC.GDI32(?), ref: 00EF26E8
ReleaseDC.USER32(00000000,?), ref: 00EF26F3

Strings

(, xrefs: 00EF268D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 274f1d08b8522ea220204b8c2d3ad49a354a74fa88be16b53c5ace01a87c636c
Instruction ID: 118da2dd2128a19aedae1eaddfd44d677e1334499f3ff4fd46522235b89183ab
Opcode Fuzzy Hash: 274f1d08b8522ea220204b8c2d3ad49a354a74fa88be16b53c5ace01a87c636c
Instruction Fuzzy Hash: E361C275D00219EFCF14CFA4D884AAEBBF5FF48310F20852AEA59A7250D774A951DF90

Function 00EADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00EADAA1

Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD659
Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD66B
Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD67D
Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD68F
Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD6A1
Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD6B3
Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD6C5
Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD6D7
Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD6E9
Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD6FB
Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD70D
Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD71F
Part of subcall function 00EAD63C: _free.LIBCMT ref: 00EAD731

_free.LIBCMT ref: 00EADA96

Part of subcall function 00EA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EAD7D1,00000000,00000000,00000000,00000000,?,00EAD7F8,00000000,00000007,00000000,?,00EADBF5,00000000), ref: 00EA29DE
Part of subcall function 00EA29C8: GetLastError.KERNEL32(00000000,?,00EAD7D1,00000000,00000000,00000000,00000000,?,00EAD7F8,00000000,00000007,00000000,?,00EADBF5,00000000,00000000), ref: 00EA29F0

_free.LIBCMT ref: 00EADAB8
_free.LIBCMT ref: 00EADACD
_free.LIBCMT ref: 00EADAD8
_free.LIBCMT ref: 00EADAFA
_free.LIBCMT ref: 00EADB0D
_free.LIBCMT ref: 00EADB1B
_free.LIBCMT ref: 00EADB26
_free.LIBCMT ref: 00EADB5E
_free.LIBCMT ref: 00EADB65
_free.LIBCMT ref: 00EADB82
_free.LIBCMT ref: 00EADB9A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6a8982af60e760f5b7e6dabfc903cda777670aaa649f1174c77ec25ab763856f
Instruction ID: b6c5656cdfb70da12d128b78e1c98a9807cdd05fb49510096005f178cf68f46b
Opcode Fuzzy Hash: 6a8982af60e760f5b7e6dabfc903cda777670aaa649f1174c77ec25ab763856f
Instruction Fuzzy Hash: 06315A316086049FEB61AA38EC45B9B7BE8FF4A714F116419E54AFF591DA30BC408721

Function 00ED365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00ED369C
_wcslen.LIBCMT ref: 00ED36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00ED3797
GetClassNameW.USER32(?,?,00000400), ref: 00ED380C
GetDlgCtrlID.USER32(?), ref: 00ED385D
GetWindowRect.USER32(?,?), ref: 00ED3882
GetParent.USER32(?), ref: 00ED38A0
ScreenToClient.USER32(00000000), ref: 00ED38A7
GetClassNameW.USER32(?,?,00000100), ref: 00ED3921
GetWindowTextW.USER32(?,?,00000400), ref: 00ED395D

Strings

%s%u, xrefs: 00ED3734

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 1fcfecd4465fc49de93dbe1860dd97a865413b46657ce529301cbef53cc05905
Instruction ID: 2f9d7f43fa6e2c0f21476117e2f89349320c51f13eda7240e989bf12e780d976
Opcode Fuzzy Hash: 1fcfecd4465fc49de93dbe1860dd97a865413b46657ce529301cbef53cc05905
Instruction Fuzzy Hash: F591A971204606AFD719DF34C895FAAF7E8FF44354F00562AF999E2290D730EA46CB92

Function 00ED4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00ED4994
GetWindowTextW.USER32(?,?,00000400), ref: 00ED49DA
_wcslen.LIBCMT ref: 00ED49EB
CharUpperBuffW.USER32(?,00000000), ref: 00ED49F7
_wcsstr.LIBVCRUNTIME ref: 00ED4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00ED4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00ED4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00ED4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00ED4B20
GetWindowRect.USER32(?,?), ref: 00ED4B8B

Strings

ThumbnailClass, xrefs: 00ED4A6F, 00ED4AF1

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: cd0a95d9e224c634eb30978101b5f28d89ccb452fd9ca5d0ab86499e7f748202
Instruction ID: 358a4541b31f2aa7f6ae464ec19a03487621ff8669b9bc189d9136dcacf3aff4
Opcode Fuzzy Hash: cd0a95d9e224c634eb30978101b5f28d89ccb452fd9ca5d0ab86499e7f748202
Instruction Fuzzy Hash: 1191E4B10042059FDB15CF10C985BAA77E8FFA4318F04656BFD85AA2D6DB30DD46CBA1

Function 00EFCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EFCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00EFCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EFCD48

Part of subcall function 00EFCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00EFCCAA
Part of subcall function 00EFCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00EFCCBD
Part of subcall function 00EFCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EFCCCF
Part of subcall function 00EFCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EFCD05
Part of subcall function 00EFCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EFCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00EFCCF3

Strings

advapi32.dll, xrefs: 00EFCCB8
RegDeleteKeyExW, xrefs: 00EFCCC9

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 2b7e2226ff285e0f6d3dc070c19028c0334946a2b350f0ad09e0f79e2c3b0522
Instruction ID: 2ab2f327e7b373783a83bad91c465dc5cb195f9630d6525aac26a810cef9c01a
Opcode Fuzzy Hash: 2b7e2226ff285e0f6d3dc070c19028c0334946a2b350f0ad09e0f79e2c3b0522
Instruction Fuzzy Hash: 0C316D71A0112DBBDB209B54DD88EFFBB7CEF45754F204265BA06E2240DB349A45EAE0

Function 00EE3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EE3D40
_wcslen.LIBCMT ref: 00EE3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EE3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EE3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00EE3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EE3E55
CloseHandle.KERNEL32(00000000), ref: 00EE3E60
CloseHandle.KERNEL32(00000000), ref: 00EE3E6B

Strings

\, xrefs: 00EE3D77
\??\%s, xrefs: 00EE3D5B
:, xrefs: 00EE3D82

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: a1061ad93ebc83fee533dca4a7dbcdd845a36fa30ba2f4981f1457c369d88f54
Instruction ID: b917e45f3445fea09a5576e32ae9d21010de1edd47b68df3c7dd47e0d3659d4d
Opcode Fuzzy Hash: a1061ad93ebc83fee533dca4a7dbcdd845a36fa30ba2f4981f1457c369d88f54
Instruction Fuzzy Hash: 8D31A17190024DABDB219BA1DC49FEB37BDFF88714F5051A5F509E6060E77097448B64

Function 00EDE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00EDE6B4

Part of subcall function 00E8E551: timeGetTime.WINMM(?,?,00EDE6D4), ref: 00E8E555

Sleep.KERNEL32(0000000A), ref: 00EDE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00EDE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EDE727
SetActiveWindow.USER32 ref: 00EDE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EDE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00EDE773
Sleep.KERNEL32(000000FA), ref: 00EDE77E
IsWindow.USER32 ref: 00EDE78A
EndDialog.USER32(00000000), ref: 00EDE79B

Strings

BUTTON, xrefs: 00EDE719

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b9f9cbf03b4c52d9cf70ac6f1eee6b63e168053040f23be1726112a3cbb24d43
Instruction ID: 75025c7c626b4f5dafcc4f7a29b2b068b0d78786541d8c42d65f83e1d19eef38
Opcode Fuzzy Hash: b9f9cbf03b4c52d9cf70ac6f1eee6b63e168053040f23be1726112a3cbb24d43
Instruction Fuzzy Hash: 7621C67420020CAFEB506F70EC8DA363B69F765348F402536FC19A53A1DB72AC01BB65

Function 00EDE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EDEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EDEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EDEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EDEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EDEAA7

Strings

close PlayMe, xrefs: 00EDEA6E, 00EDEA9B
alias PlayMe, xrefs: 00EDEA36
status PlayMe mode, xrefs: 00EDEA58
open , xrefs: 00EDEA0C
play PlayMe wait, xrefs: 00EDEA91
play PlayMe, xrefs: 00EDEAA2

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: aeec94f55455440f4f41960e64b7de0cf36ac7a582684ac6d3b5941f237ff21a
Instruction ID: ccb331e27c6277cb6352329f0a8951cea7529dc7a807b3a1cf68979a0a8cf42a
Opcode Fuzzy Hash: aeec94f55455440f4f41960e64b7de0cf36ac7a582684ac6d3b5941f237ff21a
Instruction Fuzzy Hash: F111C130A9021A79D720B3A1DC4AEFF6ABCEFD1B10F00542AB415F61D1EA704905C5B1

Function 00ED5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00ED5CE2
GetWindowRect.USER32(00000000,?), ref: 00ED5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00ED5D59
GetDlgItem.USER32(?,00000002), ref: 00ED5D69
GetWindowRect.USER32(00000000,?), ref: 00ED5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00ED5DCF
GetDlgItem.USER32(?,000003E9), ref: 00ED5DDD
GetWindowRect.USER32(00000000,?), ref: 00ED5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00ED5E31
GetDlgItem.USER32(?,000003EA), ref: 00ED5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00ED5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00ED5E67

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 2f710854aaa40c9a220f16484e6780a31a209e0c50f93c84f021c761d0f345e6
Instruction ID: 24e323dc4fdeb0ec41a0d8f205b70f2089d87ffebc7a7597fde8eda839f7204f
Opcode Fuzzy Hash: 2f710854aaa40c9a220f16484e6780a31a209e0c50f93c84f021c761d0f345e6
Instruction Fuzzy Hash: B6512171B00609AFDF18DF68DD89AAEBBB5FB48300F149229F915E7290D7709E01CB60

Function 00E88BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E88BE8,?,00000000,?,?,?,?,00E88BBA,00000000,?), ref: 00E88FC5

DestroyWindow.USER32(?), ref: 00E88C81
KillTimer.USER32(00000000,?,?,?,?,00E88BBA,00000000,?), ref: 00E88D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00EC6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E88BBA,00000000,?), ref: 00EC69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E88BBA,00000000,?), ref: 00EC69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E88BBA,00000000), ref: 00EC69D4
DeleteObject.GDI32(00000000), ref: 00EC69E6

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 3196be54b4c114fa267aa2fd3b32dea3881acd0397ce5baeea292ad6bdbff44a
Instruction ID: 4492c51e188907c72ae5b0c87789633f9d3ad18f1732251f942fa57fef115d6e
Opcode Fuzzy Hash: 3196be54b4c114fa267aa2fd3b32dea3881acd0397ce5baeea292ad6bdbff44a
Instruction Fuzzy Hash: D461C034101608DFDB21AF14DB48B26B7F1FB5131AF54651DE84AA75A4CB32ACC1EF91

Function 00E89838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00E89944: GetWindowLongW.USER32(?,000000EB), ref: 00E89952

GetSysColor.USER32(0000000F), ref: 00E89862

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: bba40956690e4a5451a85b64757fb2f18cbd9932b4612e20efb212af5e29947a
Instruction ID: 831feeb3e26728a0b64a13b37267b7b6b0d7f7f9f07ddc912b4c57ef417e3e9a
Opcode Fuzzy Hash: bba40956690e4a5451a85b64757fb2f18cbd9932b4612e20efb212af5e29947a
Instruction Fuzzy Hash: 1841C631504644AFDB246F38DC84BB93BA5FB46334F185619F9BAA71E2C7319C42EB50

Function 00ED96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00EBF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00ED9717
LoadStringW.USER32(00000000,?,00EBF7F8,00000001), ref: 00ED9720

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00EBF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00ED9742
LoadStringW.USER32(00000000,?,00EBF7F8,00000001), ref: 00ED9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00ED9866

Strings

^ ERROR, xrefs: 00ED97FB
%s (%d) : ==> %s: %s %s, xrefs: 00ED984A
Line %d:, xrefs: 00ED97A0
Error: , xrefs: 00ED981D
Line %d (File "%s"):, xrefs: 00ED978F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: ad3a0204a22a393267d90aef1cd845ff70425726b738b588a6744d8032d6f1e9
Instruction ID: e24588704413bb5278f5a55249c736ba35274a776a4c512a251f4081b7acbc35
Opcode Fuzzy Hash: ad3a0204a22a393267d90aef1cd845ff70425726b738b588a6744d8032d6f1e9
Instruction Fuzzy Hash: DD415D72800209BADF14EBE0DD42DEEB3B8EF55340F50A025F609B2192EA356F49DB61

Function 00ED06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E76B57: _wcslen.LIBCMT ref: 00E76B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00ED07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00ED07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00ED07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00ED0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00ED082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00ED0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00ED083C

Strings

\CLSID, xrefs: 00ED0724
SOFTWARE\Classes\, xrefs: 00ED070E
\IPC$, xrefs: 00ED0784

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 15b120dd0c71e6c2cfaddd90dde08e49c265f5bd0cbc2386cab2fc533c6b2b34
Instruction ID: 76eaa0354ea11d0f272ac50483f2c5d67537f5551d1bf6dd91f7a8645fd169ec
Opcode Fuzzy Hash: 15b120dd0c71e6c2cfaddd90dde08e49c265f5bd0cbc2386cab2fc533c6b2b34
Instruction Fuzzy Hash: 63413A72C10229ABDF15EBA4DC85DEDB7B8FF44754F04912AE905B71A1EB309E04DB90

Function 00EF3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EF3C5C
CoInitialize.OLE32(00000000), ref: 00EF3C8A
CoUninitialize.OLE32 ref: 00EF3C94
_wcslen.LIBCMT ref: 00EF3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00EF3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00EF3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00EF3F0E
CoGetObject.OLE32(?,00000000,00F0FB98,?), ref: 00EF3F2D
SetErrorMode.KERNEL32(00000000), ref: 00EF3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EF3FC4
VariantClear.OLEAUT32(?), ref: 00EF3FD8

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 649e3d2fd536dc1e5c996e4ee6aba0cc955741ada6dbe068b557fb1975a3c553
Instruction ID: 0ba4231e786afc80ac34ee451f964ee97752ee158005d419d6b53500ed4bb7cb
Opcode Fuzzy Hash: 649e3d2fd536dc1e5c996e4ee6aba0cc955741ada6dbe068b557fb1975a3c553
Instruction Fuzzy Hash: 66C168716083099FD700DF68C88496BB7E9FF89748F10591DFA8AAB251D731EE05CB92

Function 00EE7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EE7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EE7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00EE7BA3
CoCreateInstance.OLE32(00F0FD08,00000000,00000001,00F36E6C,?), ref: 00EE7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EE7C74
CoTaskMemFree.OLE32(?,?), ref: 00EE7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00EE7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EE7D7A
CoTaskMemFree.OLE32(00000000), ref: 00EE7D81
CoTaskMemFree.OLE32(00000000), ref: 00EE7DD6
CoUninitialize.OLE32 ref: 00EE7DDC

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 5bbf874feab89518e3b6d1cf26f7d022ee27e279c5dda4154f43e8488efc8496
Instruction ID: 1a116b1ae984be51df79e66129d9987b2ffdeebc6bb7272b46b394e41c852d53
Opcode Fuzzy Hash: 5bbf874feab89518e3b6d1cf26f7d022ee27e279c5dda4154f43e8488efc8496
Instruction Fuzzy Hash: 73C14975A04149AFCB14DFA5C884DAEBBF9FF48304B149598E85AEB361D730EE41CB90

Function 00F0541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F05504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F05515
CharNextW.USER32(00000158), ref: 00F05544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F05585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F0559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F055AC

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 7032ad74a2cead77f6e2c9b47dd0d95484cdb8c6ad44ddf1c24e88c888dae6db
Instruction ID: a61b40cfc78599b8a508f8e464c83f7560553fe96d91c4e5745ce014d810bdf2
Opcode Fuzzy Hash: 7032ad74a2cead77f6e2c9b47dd0d95484cdb8c6ad44ddf1c24e88c888dae6db
Instruction Fuzzy Hash: A5615939900608AADF20DF54CC94AFF7BB9FB09B24F144145F925AA2D0D7B49A81FF60

Function 00ECFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00ECFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00ECFB08
VariantInit.OLEAUT32(?), ref: 00ECFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00ECFB3A
VariantCopy.OLEAUT32(?,?), ref: 00ECFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00ECFBA1
VariantClear.OLEAUT32(?), ref: 00ECFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00ECFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ECFBCC
VariantClear.OLEAUT32(?), ref: 00ECFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ECFBE9

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 46ae48fa6f6b3441f4a7b32984853641d803e038e52b924601c6573ac3622f55
Instruction ID: b9bec7d25ca1d2dcc599c55126c4aef218285c5ec45d5fb6a533ec44f87777d3
Opcode Fuzzy Hash: 46ae48fa6f6b3441f4a7b32984853641d803e038e52b924601c6573ac3622f55
Instruction Fuzzy Hash: 8B413E35A002199FCF04DF64C964EAEBBBAFF48344F109169E945A7261CB31AD46CBA0

Function 00ED9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00ED9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00ED9D22
GetKeyState.USER32(000000A0), ref: 00ED9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00ED9D57
GetKeyState.USER32(000000A1), ref: 00ED9D6C
GetAsyncKeyState.USER32(00000011), ref: 00ED9D84
GetKeyState.USER32(00000011), ref: 00ED9D96
GetAsyncKeyState.USER32(00000012), ref: 00ED9DAE
GetKeyState.USER32(00000012), ref: 00ED9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00ED9DD8
GetKeyState.USER32(0000005B), ref: 00ED9DEA

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d75ccd758d0817e6aa468d35eddb9cf01e1b8b0d98c8316fd9f8b4302a6f418b
Instruction ID: 848507aecdc148cc61a21ec4ed4a02f20a9c63851070404080147297c189ad2e
Opcode Fuzzy Hash: d75ccd758d0817e6aa468d35eddb9cf01e1b8b0d98c8316fd9f8b4302a6f418b
Instruction Fuzzy Hash: 7A4193346047C969FF3197608C043B5FEA1EB11348F08A05BDAC66A7C3EBA599C9C792

Function 00EF055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EF05BC
inet_addr.WSOCK32(?), ref: 00EF061C
gethostbyname.WSOCK32(?), ref: 00EF0628
IcmpCreateFile.IPHLPAPI ref: 00EF0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EF06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EF06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00EF07B9
WSACleanup.WSOCK32 ref: 00EF07BF

Strings

Ping, xrefs: 00EF0676

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 08a53c6da7515c8650a11b5f7012650300636d93c98f524dd8d636606e37619e
Instruction ID: b4a4b03df9b87d346f40e926d55937a9cb112998617014276f2c17b6cf7fbdcb
Opcode Fuzzy Hash: 08a53c6da7515c8650a11b5f7012650300636d93c98f524dd8d636606e37619e
Instruction Fuzzy Hash: 75919E756082059FD720EF15C888F2ABBE0BF44318F1495A9F569AB6A3C770ED41CF91

Function 00EF8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00EF8CF3

Part of subcall function 00ED8E54: _wcslen.LIBCMT ref: 00ED8E77

_wcslen.LIBCMT ref: 00EF8D4E
_wcslen.LIBCMT ref: 00EF8D9C
_wcslen.LIBCMT ref: 00EF8DDC
_wcslen.LIBCMT ref: 00EF8E6E

Strings

winapi, xrefs: 00EF8D96, 00EF8D9B
none, xrefs: 00EF8E65, 00EF8E6A
cdecl, xrefs: 00EF8D48, 00EF8D4D
stdcall, xrefs: 00EF8DD6, 00EF8DDB

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: feb6e63b079e4e295410f19d326199d253ad29f2ee51c8b19e4407b67b3d4532
Instruction ID: 229225eea5607d5daea79251c0130e79cc2812a23f5851106a34c26831bd52e3
Opcode Fuzzy Hash: feb6e63b079e4e295410f19d326199d253ad29f2ee51c8b19e4407b67b3d4532
Instruction Fuzzy Hash: 2A51C372A0051A9BCF24DF68CE518BEB3E5BF64328B205229E626F72C5DB31DD40C790

Function 00EF372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EF3774
CoUninitialize.OLE32 ref: 00EF377F
CoCreateInstance.OLE32(?,00000000,00000017,00F0FB78,?), ref: 00EF37D9
IIDFromString.OLE32(?,?), ref: 00EF384C
VariantInit.OLEAUT32(?), ref: 00EF38E4
VariantClear.OLEAUT32(?), ref: 00EF3936

Strings

Invalid parameter, xrefs: 00EF3865
Failed to create object, xrefs: 00EF37E4, 00EF389A
NULL Pointer assignment, xrefs: 00EF381E

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 628f80124d02bc534b3b2f84dd8dfe5de53f073b556e93f51dd7f6f639f7ee2a
Instruction ID: d8421c8b96fd7dacad4261b13669d6e92b1f380b1385fc48dc16837623091493
Opcode Fuzzy Hash: 628f80124d02bc534b3b2f84dd8dfe5de53f073b556e93f51dd7f6f639f7ee2a
Instruction Fuzzy Hash: 9861A2B0608305AFD314EF64C849F6BB7E4EF48754F10590AFA85A7291D774EE48CB92

Function 00EE3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EE33CF

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EE33F0

Strings

^ ERROR , xrefs: 00EE349E
Incorrect parameters to object property !, xrefs: 00EE34AB
"%s" (%d) : ==> %s:, xrefs: 00EE3522
Error: , xrefs: 00EE34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00EE3504
Line %d (File "%s"):, xrefs: 00EE3443, 00EE345C

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ee43b703a86c54d67b9932fbd02a8d060164f528c2cfc8a29be33832b5ba51f2
Instruction ID: 00404165995b4a985365a32f0b817c7a6f0ac66fc795205ce3344dd46b71b233
Opcode Fuzzy Hash: ee43b703a86c54d67b9932fbd02a8d060164f528c2cfc8a29be33832b5ba51f2
Instruction Fuzzy Hash: 8051AF31900209BADF15EBA0CD46EEEB3B8EF14344F209165F509B3192EB356F58EB61

Function 00EDB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EDB5FC
_wcslen.LIBCMT ref: 00EDB608
_wcslen.LIBCMT ref: 00EDB64D
_wcslen.LIBCMT ref: 00EDB68C
_wcslen.LIBCMT ref: 00EDB6C7

Strings

APPEND, xrefs: 00EDB6C1, 00EDB6C6
REMOVE, xrefs: 00EDB602, 00EDB607
EXISTS, xrefs: 00EDB686, 00EDB68B
KEYS, xrefs: 00EDB647, 00EDB64C

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: c8b3ec227862e9ce61d913d71593c1392e8fc79a0d3be48588fba968f6fe4377
Instruction ID: 0d5edb8f91048af5bfd2204370d62ee972d85f431614ea85df90e69eb8cf38f1
Opcode Fuzzy Hash: c8b3ec227862e9ce61d913d71593c1392e8fc79a0d3be48588fba968f6fe4377
Instruction Fuzzy Hash: 6141A532A00026DACB105F7D88905BE77A5EBA5758B26522BE435EB384F731CD82C790

Function 00EE5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EE53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EE5416
GetLastError.KERNEL32 ref: 00EE5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00EE54A7

Strings

READY, xrefs: 00EE5460, 00EE5468
INVALID, xrefs: 00EE5459
READONLY, xrefs: 00EE5452
UNKNOWN, xrefs: 00EE5444
NOTREADY, xrefs: 00EE544B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6c47eb12c1aa66b621038a5c20ca88e491af1b6aaf3fbe93cab169d6c4f533b7
Instruction ID: 6fe837fe7d35bdba974e312152a1446f60e1a9921b9c3196cfe9633e6e049e57
Opcode Fuzzy Hash: 6c47eb12c1aa66b621038a5c20ca88e491af1b6aaf3fbe93cab169d6c4f533b7
Instruction Fuzzy Hash: CF31AE36A006489FD710DF69C484AAABBF4FF0430DF149066E416EB392D771DD86CB91

Function 00F03C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00F03C79
SetMenu.USER32(?,00000000), ref: 00F03C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F03D10
IsMenu.USER32(?), ref: 00F03D24
CreatePopupMenu.USER32 ref: 00F03D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F03D5B
DrawMenuBar.USER32 ref: 00F03D63

Strings

0, xrefs: 00F03C54
F, xrefs: 00F03D4E

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 687154dadb7e41643c97cff4b88cab5608f17931a4bf8fc5c8a94958769c0c79
Instruction ID: 0830ca09ff10caebc1763f037d8b8579812b98d2b7a0831ee83e0e73e571091a
Opcode Fuzzy Hash: 687154dadb7e41643c97cff4b88cab5608f17931a4bf8fc5c8a94958769c0c79
Instruction Fuzzy Hash: E0414E79A02209EFDF24CF64D844AEA77B9FF49350F144129F946A73A0D770AA10EF94

Function 00ED1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

Part of subcall function 00ED3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00ED3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00ED1F64
GetDlgCtrlID.USER32 ref: 00ED1F6F
GetParent.USER32 ref: 00ED1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00ED1F8E
GetDlgCtrlID.USER32(?), ref: 00ED1F97
GetParent.USER32(?), ref: 00ED1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00ED1FAE

Strings

ComboBox, xrefs: 00ED1EEC
ListBox, xrefs: 00ED1F21

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 6f957fcfebce817845ba6f43cdf05223d3295b712c0635c7110731acbb31c530
Instruction ID: 6ec0b59519b39a6099884e3977e0ff4f1f0e5c3759d89e8bd825a21ae27ab4ee
Opcode Fuzzy Hash: 6f957fcfebce817845ba6f43cdf05223d3295b712c0635c7110731acbb31c530
Instruction Fuzzy Hash: AF21C270A00218BBDF15AFA0CC85DEEBBB8FF15310F105256F965B7291CB355909DBA1

Function 00F03A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F03A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F03AA0
GetWindowLongW.USER32(?,000000F0), ref: 00F03AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F03AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F03B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00F03BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00F03BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00F03BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00F03BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00F03C13

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5c693e93aa18e2c06ec79e163a6e5af18e46035e848ce3f157fb0171fa010a08
Instruction ID: b5336edba5d055e78ef32fac82a208a64e55cb29ce0bef077d90a14ce210ae9c
Opcode Fuzzy Hash: 5c693e93aa18e2c06ec79e163a6e5af18e46035e848ce3f157fb0171fa010a08
Instruction Fuzzy Hash: D3616B75A00248AFEB10DF68CC81EEE77F8EB49714F104199FA15E72E1D774AA81EB50

Function 00EDB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EDB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00EDA1E1,?,00000001), ref: 00EDB165
GetWindowThreadProcessId.USER32(00000000), ref: 00EDB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EDA1E1,?,00000001), ref: 00EDB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EDB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00EDA1E1,?,00000001), ref: 00EDB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EDA1E1,?,00000001), ref: 00EDB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00EDA1E1,?,00000001), ref: 00EDB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00EDA1E1,?,00000001), ref: 00EDB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00EDA1E1,?,00000001), ref: 00EDB21D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ab9f1d15ea9cee018b3682153fd5eccebab58f5d1ce6e5823add502d15580ea3
Instruction ID: f0c8e50f25754c9b52cf925914f075932162c88078b31046997bf2440dab6aa9
Opcode Fuzzy Hash: ab9f1d15ea9cee018b3682153fd5eccebab58f5d1ce6e5823add502d15580ea3
Instruction Fuzzy Hash: 5231A576500208FFDB209F28EC84B6D7BB9FB62359F115206FA05E72A0E7B49D419F60

Function 00EA2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EA2C94

Part of subcall function 00EA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EAD7D1,00000000,00000000,00000000,00000000,?,00EAD7F8,00000000,00000007,00000000,?,00EADBF5,00000000), ref: 00EA29DE
Part of subcall function 00EA29C8: GetLastError.KERNEL32(00000000,?,00EAD7D1,00000000,00000000,00000000,00000000,?,00EAD7F8,00000000,00000007,00000000,?,00EADBF5,00000000,00000000), ref: 00EA29F0

_free.LIBCMT ref: 00EA2CA0
_free.LIBCMT ref: 00EA2CAB
_free.LIBCMT ref: 00EA2CB6
_free.LIBCMT ref: 00EA2CC1
_free.LIBCMT ref: 00EA2CCC
_free.LIBCMT ref: 00EA2CD7
_free.LIBCMT ref: 00EA2CE2
_free.LIBCMT ref: 00EA2CED
_free.LIBCMT ref: 00EA2CFB

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 83deba87fb010263f9eb08ada84b036170c013f67c218d6e5b67d25a24ac8bdb
Instruction ID: 95eb86d7e13c0fb158658639525e61fa88b40950848db6980beaaa5ada3619ba
Opcode Fuzzy Hash: 83deba87fb010263f9eb08ada84b036170c013f67c218d6e5b67d25a24ac8bdb
Instruction Fuzzy Hash: 6F119476500108AFCB42EF58D842CDE3FA5BF4A750F4154A9FA487F222D631FA509B91

Function 00E71410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E71459
OleUninitialize.OLE32(?,00000000), ref: 00E714F8
UnregisterHotKey.USER32(?), ref: 00E716DD
DestroyWindow.USER32(?), ref: 00EB24B9
FreeLibrary.KERNEL32(?), ref: 00EB251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EB254B

Strings

close all, xrefs: 00E71454

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d989f4bd43f75a5383f2be5f0d693ef3ac8400f8ae03cf91a90dcb4e50902650
Instruction ID: d5df0b4648e2a30556d1250193ca37cbb3bf9d6a7d1cfcbac7b465c4e3777b52
Opcode Fuzzy Hash: d989f4bd43f75a5383f2be5f0d693ef3ac8400f8ae03cf91a90dcb4e50902650
Instruction Fuzzy Hash: 0FD18E31702212CFDB29EF58C895A69F7A4BF05704F14A2ADE54E7B262DB30AD12CF51

Function 00EE7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EE7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00EE7FC1
GetFileAttributesW.KERNEL32(?), ref: 00EE7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00EE8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00EE8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00EE8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EE80B0

Strings

*.*, xrefs: 00EE8066

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: dba91f6739f00bc148685f439cf8ae5a02344b04427b45c4180d951e465de7f7
Instruction ID: 976b30432c8b98b5f88f958faf8832d924e40d2de9274aa581a0f0df5bb69122
Opcode Fuzzy Hash: dba91f6739f00bc148685f439cf8ae5a02344b04427b45c4180d951e465de7f7
Instruction Fuzzy Hash: 7581C1715082899BDB24EF56C8409AEB3E8FF84314F14685EF8C9E7260EB34DD45CB92

Function 00E75BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E75C7A

Part of subcall function 00E75D0A: GetClientRect.USER32(?,?), ref: 00E75D30
Part of subcall function 00E75D0A: GetWindowRect.USER32(?,?), ref: 00E75D71
Part of subcall function 00E75D0A: ScreenToClient.USER32(?,?), ref: 00E75D99

GetDC.USER32 ref: 00EB46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EB4708
SelectObject.GDI32(00000000,00000000), ref: 00EB4716
SelectObject.GDI32(00000000,00000000), ref: 00EB472B
ReleaseDC.USER32(?,00000000), ref: 00EB4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EB47C4

Strings

U, xrefs: 00EB4693

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 59a3a203b5d5b383d51bfa34c6d21cde877653ca486085e70560a5e7e173bce4
Instruction ID: 87a164d09dc5cea9ce3e5d47852ce500e80a835b7808d840fa1d5e5e4ebc0dd6
Opcode Fuzzy Hash: 59a3a203b5d5b383d51bfa34c6d21cde877653ca486085e70560a5e7e173bce4
Instruction Fuzzy Hash: B271E175400209DFCF228F64C984AFB7BB5FF4A318F14526AED557A1A6C7318881EF50

Function 00EE359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00EE35E4

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

LoadStringW.USER32(00F42390,?,00000FFF,?), ref: 00EE360A

Strings

^ ERROR, xrefs: 00EE36C9
"%s" (%d) : ==> %s:, xrefs: 00EE3742
Error: , xrefs: 00EE36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00EE3724
Line %d (File "%s"):, xrefs: 00EE366B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 8d21153686d3c9961bd142166a4d20e8843ea5804ee88a8a7a4a776298f3f496
Instruction ID: d1c679e3d058da5bf93fc41dfb75447214ddfd3a3e38b1245990fab52a45223a
Opcode Fuzzy Hash: 8d21153686d3c9961bd142166a4d20e8843ea5804ee88a8a7a4a776298f3f496
Instruction Fuzzy Hash: 54516171800249BADF15EBA0DC46EEEBBB4EF14304F14A125F50973192EB315B99EFA1

Function 00EEC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EEC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EEC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EEC2CA
GetLastError.KERNEL32 ref: 00EEC322
SetEvent.KERNEL32(?), ref: 00EEC336
InternetCloseHandle.WININET(00000000), ref: 00EEC341

Strings

, xrefs: 00EEC2BB

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ab5daba05fded2202dca3faa2511f4c65485597a1673d488e8ab1f2aa0beb555
Instruction ID: ae72fe0d3ca716f6d41d84281a62858dca350735552b4c7203ff740878615c95
Opcode Fuzzy Hash: ab5daba05fded2202dca3faa2511f4c65485597a1673d488e8ab1f2aa0beb555
Instruction Fuzzy Hash: B53180B160064CAFD7219F668C88AAB7BFCFB49744F24951EF446E3210DB30DD069BA1

Function 00ED989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00EB3AAF,?,?,Bad directive syntax error,00F0CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00ED98BC
LoadStringW.USER32(00000000,?,00EB3AAF,?), ref: 00ED98C3

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00ED9987

Strings

Error: , xrefs: 00ED9955
Line %d:, xrefs: 00ED9912
%s (%d) : ==> %s.: %s %s, xrefs: 00ED98F1
., xrefs: 00ED996D
Line %d (File "%s"):, xrefs: 00ED992D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: cb1d2748918badeecd6fd183344ee81583822946b19a7806e9fb7e4feaccb7cd
Instruction ID: ac7947ea1b21ffda3333f7b585f2e214551a08fcb85d3d6a46ea1c998f98a8d3
Opcode Fuzzy Hash: cb1d2748918badeecd6fd183344ee81583822946b19a7806e9fb7e4feaccb7cd
Instruction Fuzzy Hash: 49217E31C0021ABBCF15AF90CC16EEE77B5FF18300F04A466F519760A2EB319618EB51

Function 00ED209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00ED20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00ED20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00ED214D

Strings

list, xrefs: 00ED212F
largeicons, xrefs: 00ED20E1
SHELLDLL_DefView, xrefs: 00ED20CC
smallicons, xrefs: 00ED2115
details, xrefs: 00ED20FB

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 3d590c0a44f9125398b7dc16d4e3071c7e1984f75ceb058077b5d4b8885179b5
Instruction ID: 701944f787d1015a3531be62446c7eb2a17356ab4bf3a89a0189a9b58b7c1563
Opcode Fuzzy Hash: 3d590c0a44f9125398b7dc16d4e3071c7e1984f75ceb058077b5d4b8885179b5
Instruction Fuzzy Hash: D5112976688706B9FA112320DC07DE677DCDF64738F20621BFB04B51E1FEA1A8036654

Function 00EACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00EACEB7
_free.LIBCMT ref: 00EACF22
_free.LIBCMT ref: 00EACF48
_free.LIBCMT ref: 00EACF71
_free.LIBCMT ref: 00EACFA9
_free.LIBCMT ref: 00EACFDA
_free.LIBCMT ref: 00EAD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00EAD09C
_free.LIBCMT ref: 00EAD0B5

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1af713be7211d3581ef61eb650f448aa2725270f67e886618d9da62341ebd546
Instruction ID: 6bbf1aa077ef29a3710cefb2b23f341f8ee1900a85df890a24fc9e68b9ccb495
Opcode Fuzzy Hash: 1af713be7211d3581ef61eb650f448aa2725270f67e886618d9da62341ebd546
Instruction Fuzzy Hash: E4614876A04304AFDF21AFB89C81A6A7BE5AF0F314F24516DFA55BF281DA31BD018750

Function 00F050D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00F05186
ShowWindow.USER32(?,00000000), ref: 00F051C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00F051CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00F051D1

Part of subcall function 00F06FBA: DeleteObject.GDI32(00000000), ref: 00F06FE6

GetWindowLongW.USER32(?,000000F0), ref: 00F0520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F0521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F0524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00F05287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00F05296

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: a5377cb80885f2d19ace8dae93a05fd893dc65b9a758817e1cbad0c04461c9e6
Instruction ID: 0ec5f33faee1d1b4810b0091743081ae6e313112b8373c1f488ce4588678f9fd
Opcode Fuzzy Hash: a5377cb80885f2d19ace8dae93a05fd893dc65b9a758817e1cbad0c04461c9e6
Instruction Fuzzy Hash: 00516E31A50A08FFEF209F64CC49B9A7BA5BF05B21F144112FA19962E1C7B5A990FF41

Function 00E88B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00EC6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00EC68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00EC68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00EC68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00EC68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E88874,00000000,00000000,00000000,000000FF,00000000), ref: 00EC6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00EC691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E88874,00000000,00000000,00000000,000000FF,00000000), ref: 00EC692D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 67daf4f91209f21d5e971994a0a51e0471e08a9cc13d4bd337fa8e7b03c1bf3a
Instruction ID: 5b309a55933a4ff1ae2e2eb087bc691282381c79b48a23fb9c03bb1dbd534ab5
Opcode Fuzzy Hash: 67daf4f91209f21d5e971994a0a51e0471e08a9cc13d4bd337fa8e7b03c1bf3a
Instruction Fuzzy Hash: B651BC74600209EFDB20DF24CD91FAA7BB5FF88754F105218F90AA72A0DB71E991EB40

Function 00EEC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EEC182
GetLastError.KERNEL32 ref: 00EEC195
SetEvent.KERNEL32(?), ref: 00EEC1A9

Part of subcall function 00EEC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EEC272
Part of subcall function 00EEC253: GetLastError.KERNEL32 ref: 00EEC322
Part of subcall function 00EEC253: SetEvent.KERNEL32(?), ref: 00EEC336
Part of subcall function 00EEC253: InternetCloseHandle.WININET(00000000), ref: 00EEC341

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 004acec6be44e5dffaeb5612252c529becdbe5ddce6e0aa707b646c927781fee
Instruction ID: 2406dfbdb1f8729e8b821a83a639e914ec352e8b2547a42b5550b61b348d106a
Opcode Fuzzy Hash: 004acec6be44e5dffaeb5612252c529becdbe5ddce6e0aa707b646c927781fee
Instruction Fuzzy Hash: 97318371100A89EFDB219FA6DD44A66BBF9FF18304B20551DFA5693620D730E816EBA0

Function 00ED25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ED3A57
Part of subcall function 00ED3A3D: GetCurrentThreadId.KERNEL32 ref: 00ED3A5E
Part of subcall function 00ED3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00ED25B3), ref: 00ED3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00ED25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00ED25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00ED25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00ED25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00ED2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00ED2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00ED260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00ED2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00ED2627

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a14bb1dca45375e8f1cb6886484d4a8b2e0abf4cece079239678f0b66c6b3209
Instruction ID: e0c5c2070e69046ebd966586e835294596fb792b1d54d1c34317fe9107423134
Opcode Fuzzy Hash: a14bb1dca45375e8f1cb6886484d4a8b2e0abf4cece079239678f0b66c6b3209
Instruction Fuzzy Hash: 0601D830390214BBFB2067699C8AF597F99EB5EB11F101106F318AF1D1C9E254459AEA

Function 00ED1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00ED1449,?,?,00000000), ref: 00ED180C
HeapAlloc.KERNEL32(00000000,?,00ED1449,?,?,00000000), ref: 00ED1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00ED1449,?,?,00000000), ref: 00ED1828
GetCurrentProcess.KERNEL32(?,00000000,?,00ED1449,?,?,00000000), ref: 00ED1830
DuplicateHandle.KERNEL32(00000000,?,00ED1449,?,?,00000000), ref: 00ED1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00ED1449,?,?,00000000), ref: 00ED1843
GetCurrentProcess.KERNEL32(00ED1449,00000000,?,00ED1449,?,?,00000000), ref: 00ED184B
DuplicateHandle.KERNEL32(00000000,?,00ED1449,?,?,00000000), ref: 00ED184E
CreateThread.KERNEL32(00000000,00000000,00ED1874,00000000,00000000,00000000), ref: 00ED1868

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 458b60af547be2bfda828c4b1c7e5b36085773352758506be0866cb153468bcc
Instruction ID: 4f910920dd1131c24c677922b239fc811e8db331a5cde3b98d11cc046bb0479a
Opcode Fuzzy Hash: 458b60af547be2bfda828c4b1c7e5b36085773352758506be0866cb153468bcc
Instruction Fuzzy Hash: F401BF75240308BFE710AB65DC4DF573B6CFB89B11F004511FA05DB192C6709800DB60

Function 00EA3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00EA3F0B
__alldvrm.LIBCMT ref: 00EA410C
__alldvrm.LIBCMT ref: 00EA412E

Strings

}}, xrefs: 00EA40CD
}}, xrefs: 00EA3E96, 00EA3EF1, 00EA3F0A, 00EA4090
}}, xrefs: 00EA3E8A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}$}}$}}
API String ID: 1036877536-1495402609
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 85b93f0622df038da2aff6af76cff91de62fc009fdda8574e3ce6e2f844285e7
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: E1A199B5E103829FDB11CF28C8917EEBBE4EFAB354F1441ADE581AF281C2B4A941C751

Function 00EFA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00EDD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00EDD501
Part of subcall function 00EDD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00EDD50F
Part of subcall function 00EDD4DC: CloseHandle.KERNEL32(00000000), ref: 00EDD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EFA16D
GetLastError.KERNEL32 ref: 00EFA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EFA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00EFA268
GetLastError.KERNEL32(00000000), ref: 00EFA273
CloseHandle.KERNEL32(00000000), ref: 00EFA2C4

Strings

SeDebugPrivilege, xrefs: 00EFA18F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 53b75b4831c2cad8d718ca1937c900a53f740825aacb1cf2ff70b4dc29d55156
Instruction ID: efd8e45fb0afa0d8a9d0356e0c4e73f7bb61e0c1a7b39e579780b1eb04fab356
Opcode Fuzzy Hash: 53b75b4831c2cad8d718ca1937c900a53f740825aacb1cf2ff70b4dc29d55156
Instruction Fuzzy Hash: FE61ADB0204202AFE720DF18C494F29BBE5AF44318F18949CE56A5F7A3C772EC45CB92

Function 00F03886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F03925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00F0393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F03954
_wcslen.LIBCMT ref: 00F03999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F039F4

Strings

SysListView32, xrefs: 00F038F7

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 565340cfcf68ecca69ec5f812964397468a1023dcb5a139f6c3788040fd0de03
Instruction ID: a4dea342158a4bfa3257e4bbbd28a30bb564c850a1da982a39df770f5946f0e0
Opcode Fuzzy Hash: 565340cfcf68ecca69ec5f812964397468a1023dcb5a139f6c3788040fd0de03
Instruction Fuzzy Hash: 65418171E00219ABEF219F64CC45BEA7BADFF08360F100566F958E72C1D7759A80EB90

Function 00EDBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EDBCFD
IsMenu.USER32(00000000), ref: 00EDBD1D
CreatePopupMenu.USER32 ref: 00EDBD53
GetMenuItemCount.USER32(018E5708), ref: 00EDBDA4
InsertMenuItemW.USER32(018E5708,?,00000001,00000030), ref: 00EDBDCC

Strings

0, xrefs: 00EDBCA8
2, xrefs: 00EDBD37

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 4bc5c963637d337fc7cb79c4f808564bdce4314beb0e9449aeb2155848e39460
Instruction ID: 51d27b079ad14eeda4de8c89e8331af67a9ef2318ef54bbc70de0bb61f1ea71b
Opcode Fuzzy Hash: 4bc5c963637d337fc7cb79c4f808564bdce4314beb0e9449aeb2155848e39460
Instruction Fuzzy Hash: 34519E70A00209DBDB10CFA8D884BAEBBF6FF49318F15525AE441FB390E7719942CB61

Function 00E92D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E92D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00E92D53
_ValidateLocalCookies.LIBCMT ref: 00E92DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00E92E0C
_ValidateLocalCookies.LIBCMT ref: 00E92E61

Strings

csm, xrefs: 00E92DF6
&H, xrefs: 00E92DFE, 00E92E07, 00E92E18

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H$csm
API String ID: 1170836740-1242228090
Opcode ID: 00632ac938a08ca39bbe6231c66d72ff71130dd5d12af7188cbb112bc8d81b37
Instruction ID: 05bfb6a1467ee518ba05aa52c05df50de7128dd99961403d38d1cd72e72f3260
Opcode Fuzzy Hash: 00632ac938a08ca39bbe6231c66d72ff71130dd5d12af7188cbb112bc8d81b37
Instruction Fuzzy Hash: 23419D34A01209BBCF14DF68C885ADEBBF5BF44328F149159EA14BB392D731AA45CBD1

Function 00EDC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00EDC913

Strings

question, xrefs: 00EDC8CC
warning, xrefs: 00EDC8FC
info, xrefs: 00EDC8B4
stop, xrefs: 00EDC8E4
blank, xrefs: 00EDC895

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d7054a9e8d94d1cccfbb7d61d2d17195ae12dbfd199ab87239664c17ea283950
Instruction ID: 1571f4cc6636fd10ab112f39e44d678461e728fd291859ebbe48ac6e9450e7f2
Opcode Fuzzy Hash: d7054a9e8d94d1cccfbb7d61d2d17195ae12dbfd199ab87239664c17ea283950
Instruction Fuzzy Hash: B9110B35689307BAEB0557549C92C9A77DCDF153A8B70502BF504B63C1E7A0AD02A265

Function 00EDED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00EDED2A
_wcslen.LIBCMT ref: 00EDED3B
_wcslen.LIBCMT ref: 00EDED79
_wcslen.LIBCMT ref: 00EDEDAF
_wcslen.LIBCMT ref: 00EDEDDF
_wcslen.LIBCMT ref: 00EDEDEF
_wcslen.LIBCMT ref: 00EDEE2B
_wcslen.LIBCMT ref: 00EDEE5A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 1b9188914577f5b13cb9719967b4921cb1568ca20e26afdb2e5b4b3150d9722c
Instruction ID: 16cf4fa81f6e9ed87d08fb3a0dc5bb36a77c8c637fce0203a34e8306a9355f2c
Opcode Fuzzy Hash: 1b9188914577f5b13cb9719967b4921cb1568ca20e26afdb2e5b4b3150d9722c
Instruction Fuzzy Hash: 8E415E65C1021865CF11EBB48C8A9CFB7E8EF45710F50A563E918F7262EB34E256C3A5

Function 00E8F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00EC682C,00000004,00000000,00000000), ref: 00E8F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00EC682C,00000004,00000000,00000000), ref: 00ECF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00EC682C,00000004,00000000,00000000), ref: 00ECF454

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 12dc677e31f7979b41f46e6348737ce987e79087a43f1c9d5665320244b8b674
Instruction ID: 859a9cdd96dd43ca883b9c606a9edbb3e7a23be9f8fc48a5384bdc057775898d
Opcode Fuzzy Hash: 12dc677e31f7979b41f46e6348737ce987e79087a43f1c9d5665320244b8b674
Instruction Fuzzy Hash: 2D414E30604680FAD739AB6CC988B6A7BD2BBD6318F14713CE48F76560C636D881DB51

Function 00F02D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F02D1B
GetDC.USER32(00000000), ref: 00F02D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F02D2E
ReleaseDC.USER32(00000000,00000000), ref: 00F02D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F02D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F02D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F05A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00F02DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F02DE1

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 912108929516f6b127858cf3a89a24e355fce47db1bbf756466c182e0bce9a97
Instruction ID: eae09a6728ac945c2e26d989807560c28def3375112dc36a8513992eebe2b31f
Opcode Fuzzy Hash: 912108929516f6b127858cf3a89a24e355fce47db1bbf756466c182e0bce9a97
Instruction Fuzzy Hash: 01315A72202214ABEB218F548C8AFAB3BA9FB09725F044155FE089A2D1C6759C51EBB4

Function 00ED5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00ED5637
_memcmp.LIBVCRUNTIME ref: 00ED5659
_memcmp.LIBVCRUNTIME ref: 00ED5671
_memcmp.LIBVCRUNTIME ref: 00ED5684
_memcmp.LIBVCRUNTIME ref: 00ED569E
_memcmp.LIBVCRUNTIME ref: 00ED56B1
_memcmp.LIBVCRUNTIME ref: 00ED56C9
_memcmp.LIBVCRUNTIME ref: 00ED56E4

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9f275430c4868aca9caaa5377fcef53f74c53babab4de4c15818fa08e47d4e6e
Instruction ID: febce74e7faa2b364c1e0eac0816e0f83fe9af255cf8369e6e3b860fbca9fc00
Opcode Fuzzy Hash: 9f275430c4868aca9caaa5377fcef53f74c53babab4de4c15818fa08e47d4e6e
Instruction Fuzzy Hash: 4321FF63644A06BBE62595104D43FFA33ACEF10384F546023FD157ABC1F720DE1695A6

Function 00EF4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00EF5007
NULL Pointer assignment, xrefs: 00EF502E, 00EF5383

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 53ed89212d22d4d5d8783238237d889bef80d944e7f2b2c7443602688574ee0e
Instruction ID: 7057d57d9489498f9557c39dd3aef9d8b03647dc8790a33e8b2cfec56ff12601
Opcode Fuzzy Hash: 53ed89212d22d4d5d8783238237d889bef80d944e7f2b2c7443602688574ee0e
Instruction Fuzzy Hash: BDD19F72A0060EAFDB10CF98C880BBEB7B5BF58354F149169EA15BB281D770ED41CB90

Function 00EB1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00EB15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00EB1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EB16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00EB16FB

Part of subcall function 00EA3820: RtlAllocateHeap.NTDLL(00000000,?,00F41444,?,00E8FDF5,?,?,00E7A976,00000010,00F41440,00E713FC,?,00E713C6,?,00E71129), ref: 00EA3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EB1777
__freea.LIBCMT ref: 00EB17A2
__freea.LIBCMT ref: 00EB17AE

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 69434e628fb11edb75e154aca1ad63a24059d06ed7f3a757fca09d7ffb9e5229
Instruction ID: 1a928742ae6b1a49b42e3703b3ff590bd8c3302a605e5cafe22b846c3c225076
Opcode Fuzzy Hash: 69434e628fb11edb75e154aca1ad63a24059d06ed7f3a757fca09d7ffb9e5229
Instruction Fuzzy Hash: BF91C571E112169ADF208F74C8A1AEF7BF5AF4A324F986699E901F7180DB35DC40C7A0

Function 00EF4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EF4648
VariantInit.OLEAUT32(?), ref: 00EF4749
VariantClear.OLEAUT32(?), ref: 00EF4753
VariantClear.OLEAUT32(?), ref: 00EF47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00EF45D8, 00EF4706, 00EF47BE
Incorrect Object type in FOR..IN loop, xrefs: 00EF472C

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: da122c39edb4160d42c2c21e5a18f0380477213addcfc58edb069d2b9fbc6bcb
Instruction ID: 5bbe756216ff298efc7f865cc5039d0e23698400bbbd23f262fdfcd5909ff937
Opcode Fuzzy Hash: da122c39edb4160d42c2c21e5a18f0380477213addcfc58edb069d2b9fbc6bcb
Instruction Fuzzy Hash: E29170B1A00219ABDF24DFA5C884FAFB7B8AF46714F10955AF605BB2C0D7709945CFA0

Function 00EE1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00EE125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EE1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00EE12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EE12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EE135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EE13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EE1430

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 8284687389be9a4fa930d5fc5f71aba75adf66f92e5590f414f18bd8a9cdbda2
Instruction ID: 0c42591d41388d5d21540ba11ec51389b6eb4c7c8d2c7b3e914d4bbd87fc89d6
Opcode Fuzzy Hash: 8284687389be9a4fa930d5fc5f71aba75adf66f92e5590f414f18bd8a9cdbda2
Instruction Fuzzy Hash: DF91BE75A0024C9FDB00DFA5C884BBEB7B5FF49314F1150A9EA50FB2A1D774A981DB90

Function 00E8948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: db303234b6701201caf25c05056dfc6cee1b8080ea55c9e963601810ce15e696
Instruction ID: 2a2eafdc494b94848cf3115d99a4f1a1e40ca690e3027f993fdd9ff1b04dd1a9
Opcode Fuzzy Hash: db303234b6701201caf25c05056dfc6cee1b8080ea55c9e963601810ce15e696
Instruction Fuzzy Hash: 1D913671D00219EFCB10DFA9C984AEEBBB8FF48324F185149E519B7252D375A942DBA0

Function 00EF3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EF396B
CharUpperBuffW.USER32(?,?), ref: 00EF3A7A
_wcslen.LIBCMT ref: 00EF3A8A
VariantClear.OLEAUT32(?), ref: 00EF3C1F

Part of subcall function 00EE0CDF: VariantInit.OLEAUT32(00000000), ref: 00EE0D1F
Part of subcall function 00EE0CDF: VariantCopy.OLEAUT32(?,?), ref: 00EE0D28
Part of subcall function 00EE0CDF: VariantClear.OLEAUT32(?), ref: 00EE0D34

Strings

Incorrect Parameter format, xrefs: 00EF39A6, 00EF3BA1
AUTOIT.ERROR, xrefs: 00EF3A80, 00EF3A85

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 98c4e3530d7d486d761b3a4036cc1e7edde8a83cf0b04d9fe059dc8a31c850f1
Instruction ID: 59b582958ac06e078e7e9078262f572cdbc2c35457ea2c9ae3937f9a9c71edab
Opcode Fuzzy Hash: 98c4e3530d7d486d761b3a4036cc1e7edde8a83cf0b04d9fe059dc8a31c850f1
Instruction Fuzzy Hash: 04918B746083099FC704EF24C49196AB7E5FF88314F14992EF98AAB351DB31EE45CB92

Function 00EF4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00ED000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ECFF41,80070057,?,?,?,00ED035E), ref: 00ED002B
Part of subcall function 00ED000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ECFF41,80070057,?,?), ref: 00ED0046
Part of subcall function 00ED000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ECFF41,80070057,?,?), ref: 00ED0054
Part of subcall function 00ED000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ECFF41,80070057,?), ref: 00ED0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00EF4C51
_wcslen.LIBCMT ref: 00EF4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00EF4DCF
CoTaskMemFree.OLE32(?), ref: 00EF4DDA

Strings

NULL Pointer assignment, xrefs: 00EF4E23, 00EF4E52

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a3488aba228ce8bfa46a4f7307acf37be836c2fc829c5ef15f6fc958c367ff7b
Instruction ID: 2a18c276f321fdb58337192810d2da2da7cf697bc5a8cf22692ff72d989b7c63
Opcode Fuzzy Hash: a3488aba228ce8bfa46a4f7307acf37be836c2fc829c5ef15f6fc958c367ff7b
Instruction Fuzzy Hash: DF9129B1D0021DAFDF14DFA4C881AEEB7B8BF48314F10916AE519BB291DB345A45CF60

Function 00F020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F02183
GetMenuItemCount.USER32(00000000), ref: 00F021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F021DD
_wcslen.LIBCMT ref: 00F02213
GetMenuItemID.USER32(?,?), ref: 00F0224D
GetSubMenu.USER32(?,?), ref: 00F0225B

Part of subcall function 00ED3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ED3A57
Part of subcall function 00ED3A3D: GetCurrentThreadId.KERNEL32 ref: 00ED3A5E
Part of subcall function 00ED3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00ED25B3), ref: 00ED3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F022E3

Part of subcall function 00EDE97B: Sleep.KERNEL32 ref: 00EDE9F3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 25f306e8237b4c3b646cc4119f27e6415b8bce33b8886d998a4a826986616fac
Instruction ID: 804832b050a93bafec018d3f72c526241b84bafa1e54f3c2802a0719df7c7e3e
Opcode Fuzzy Hash: 25f306e8237b4c3b646cc4119f27e6415b8bce33b8886d998a4a826986616fac
Instruction Fuzzy Hash: AC716075E00205AFCB54DFA4C845AAEB7F5FF48320F148459E81AFB391D734AD41ABA0

Function 00F07E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(018E5528), ref: 00F07F37
IsWindowEnabled.USER32(018E5528), ref: 00F07F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F0801E
SendMessageW.USER32(018E5528,000000B0,?,?), ref: 00F08051
IsDlgButtonChecked.USER32(?,?), ref: 00F08089
GetWindowLongW.USER32(018E5528,000000EC), ref: 00F080AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F080C3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 217a984240c51dcf62996b0a6cd77e4bc74beb821d22ccda53986657ce6f89aa
Instruction ID: 5f4df3ce107aeb829762344ed482c658437734b9fe2ce54f94320b8e71b3ee37
Opcode Fuzzy Hash: 217a984240c51dcf62996b0a6cd77e4bc74beb821d22ccda53986657ce6f89aa
Instruction Fuzzy Hash: F871A034E08349AFEF21AF54CC84FAA7BB5FF09351F144499E955932A1CB31A845FBA0

Function 00EDAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00EDAEF9
GetKeyboardState.USER32(?), ref: 00EDAF0E
SetKeyboardState.USER32(?), ref: 00EDAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00EDAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00EDAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00EDAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EDB020

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 154ac6c812ae15b772c4a03b44ccb6fa62264140e8456f763f3e04f61538726c
Instruction ID: 5031fb1cc91345e41721d4bf071bfa905ebc0a29ea547cd27be93c6ac3844ced
Opcode Fuzzy Hash: 154ac6c812ae15b772c4a03b44ccb6fa62264140e8456f763f3e04f61538726c
Instruction Fuzzy Hash: 6B5102A06043D57DFB324334CC05BBBBEE99B06308F0C959AE1D9655C2D3D8AACAD351

Function 00EDACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00EDAD19
GetKeyboardState.USER32(?), ref: 00EDAD2E
SetKeyboardState.USER32(?), ref: 00EDAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EDADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EDADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EDAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EDAE38

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4707b1f2820ce86e6e9c3e14426fe7ec062eeba5e8d9ab35f73249982e9f0f84
Instruction ID: 1ce16fa87133a57822d38f961aa4dd2918b1280ad936b19c3b910ea616cb1227
Opcode Fuzzy Hash: 4707b1f2820ce86e6e9c3e14426fe7ec062eeba5e8d9ab35f73249982e9f0f84
Instruction Fuzzy Hash: 5F5127A15047D53DFB3243348C45B7A7FD9EB06308F0C959AE0D566AC2D294EEC5E362

Function 00EA542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00EB3CD6,?,?,?,?,?,?,?,?,00EA5BA3,?,?,00EB3CD6,?,?), ref: 00EA5470
__fassign.LIBCMT ref: 00EA54EB
__fassign.LIBCMT ref: 00EA5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00EB3CD6,00000005,00000000,00000000), ref: 00EA552C
WriteFile.KERNEL32(?,00EB3CD6,00000000,00EA5BA3,00000000,?,?,?,?,?,?,?,?,?,00EA5BA3,?), ref: 00EA554B
WriteFile.KERNEL32(?,?,00000001,00EA5BA3,00000000,?,?,?,?,?,?,?,?,?,00EA5BA3,?), ref: 00EA5584

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: afb2324bfb11f852857e69fda202b3c84bdbaf8e81f988fcb2ef4679beb6cdd7
Instruction ID: c9bceef325ab0c03290ec355f3bdd2f551fcd5b88edbc7583175bd07605fdb77
Opcode Fuzzy Hash: afb2324bfb11f852857e69fda202b3c84bdbaf8e81f988fcb2ef4679beb6cdd7
Instruction Fuzzy Hash: 3A519171E006499FDB10CFA8D845AEEBBF9EF4E310F14511AF955FB291D630AA41CBA0

Function 00EF10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF304E: inet_addr.WSOCK32(?), ref: 00EF307A
Part of subcall function 00EF304E: _wcslen.LIBCMT ref: 00EF309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00EF1112
WSAGetLastError.WSOCK32 ref: 00EF1121
WSAGetLastError.WSOCK32 ref: 00EF11C9
closesocket.WSOCK32(00000000), ref: 00EF11F9

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: f5fd071135fead011039a48cf258a93acaac7758d552a069f49d52b7183e7598
Instruction ID: c7bacd79cbc8dc0a7f673ffe0a36a4e2ca9ea36ed09d45175729c42c82697973
Opcode Fuzzy Hash: f5fd071135fead011039a48cf258a93acaac7758d552a069f49d52b7183e7598
Instruction Fuzzy Hash: 7841B13160021CEFDB109F24C884BB9B7EAFF45368F149199FA19AB291C774AD41CBE1

Function 00EDCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EDDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EDCF22,?), ref: 00EDDDFD

Part of subcall function 00EDDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EDCF22,?), ref: 00EDDE16

lstrcmpiW.KERNEL32(?,?), ref: 00EDCF45
MoveFileW.KERNEL32(?,?), ref: 00EDCF7F
_wcslen.LIBCMT ref: 00EDD005
_wcslen.LIBCMT ref: 00EDD01B
SHFileOperationW.SHELL32(?), ref: 00EDD061

Strings

\*.*, xrefs: 00EDCFF3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: e5950ebc5f8b5685e69ab300ea64e91ec184193ec828f2529e3561f59a4d496f
Instruction ID: d08c6ec987df235c6d88e9ba05ea898167a312d7dbfbd1f905f90eca5a1b5206
Opcode Fuzzy Hash: e5950ebc5f8b5685e69ab300ea64e91ec184193ec828f2529e3561f59a4d496f
Instruction Fuzzy Hash: B64133719452195FDF12EBA4CD81ADEB7F9EF48380F1410E7E509FB242EA34A649CB50

Function 00F02DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F02E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00F02E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00F02E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F02EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F02EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00F02EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F02F0B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ed56f2b02cda87bbb9f365a3b7091b119a99da4ef625716b7c367d649fa1487c
Instruction ID: bd913e4941e5a2edf7923bd929a5219887fe84a2649da467c167b01444a23ccf
Opcode Fuzzy Hash: ed56f2b02cda87bbb9f365a3b7091b119a99da4ef625716b7c367d649fa1487c
Instruction Fuzzy Hash: 8D310535A84158AFEB61CF58DC88F6537E5FB5A760F150164FA048B2F2CB71A880FB61

Function 00ED7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ED7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ED778F
SysAllocString.OLEAUT32(00000000), ref: 00ED7792
SysAllocString.OLEAUT32(?), ref: 00ED77B0
SysFreeString.OLEAUT32(?), ref: 00ED77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00ED77DE
SysAllocString.OLEAUT32(?), ref: 00ED77EC

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 161fc56fce4770ea3e2fc4799e9abab80f38b1eabd0ccead01ce4ee99fecb9b4
Instruction ID: 1f2d15d5f93ef0027b367551d3d13b685a1088e7abcf9580624df3efe394e5a0
Opcode Fuzzy Hash: 161fc56fce4770ea3e2fc4799e9abab80f38b1eabd0ccead01ce4ee99fecb9b4
Instruction Fuzzy Hash: 18218376604219AFDB10DFA8CC84CBB77ACFB097657048527F955EB290E670DC42C7A4

Function 00ED77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ED7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ED7868
SysAllocString.OLEAUT32(00000000), ref: 00ED786B
SysAllocString.OLEAUT32 ref: 00ED788C
SysFreeString.OLEAUT32 ref: 00ED7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00ED78AF
SysAllocString.OLEAUT32(?), ref: 00ED78BD

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c6f3e75a01b799049e920ad2138a0bd2b467856b3b2f00172ebc9aad6fcae5c4
Instruction ID: 858c117549393c59743c1cd442644f58cfb62efab53582859fae88b278afa714
Opcode Fuzzy Hash: c6f3e75a01b799049e920ad2138a0bd2b467856b3b2f00172ebc9aad6fcae5c4
Instruction Fuzzy Hash: BC21B639604118AFDB14EFB8DC8DDAA77ECFB083647108126F955DB2A1E670DC42DB64

Function 00EE04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00EE04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EE052E

Strings

nul, xrefs: 00EE0567

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 6d2607d45c572b9ece82a92798ea3d8e72c9a6249c3685df687426fe102842e4
Instruction ID: 018ff2f589b2a0f421ab2cd048b4b9081cb98c35df9778ebc1506aa00aff7fba
Opcode Fuzzy Hash: 6d2607d45c572b9ece82a92798ea3d8e72c9a6249c3685df687426fe102842e4
Instruction Fuzzy Hash: EB215C75500349ABDB309F2ADC44A9A77B4BF45728F604A19E8E1E62E0D7B0D984DF60

Function 00EE05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00EE05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EE0601

Strings

nul, xrefs: 00EE0639

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f53fcd0d6706fbc5e57e2daa64964a60009b7b0fad68cb9d90b862e6f914357e
Instruction ID: 8dde7244fa3f291e7807b7fae6901fe679846a3dcc2470d547813518811b9ddf
Opcode Fuzzy Hash: f53fcd0d6706fbc5e57e2daa64964a60009b7b0fad68cb9d90b862e6f914357e
Instruction Fuzzy Hash: 9521817550034A9BDB209F6A9C04B9A77E4BF95734F240B19F8A1F72E0D7F098A0DB50

Function 00F040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E7604C
Part of subcall function 00E7600E: GetStockObject.GDI32(00000011), ref: 00E76060
Part of subcall function 00E7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E7606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F04112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F0411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F0412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F04139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F04145

Strings

Msctls_Progress32, xrefs: 00F040E3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a250763622a5c5a02807649d3e5b7b05d987c1a92c09ba866dc0e7d5ca687602
Instruction ID: 3562f178a3a21a88e1edb9b39acbf147fbcbcf7fc97fbe0b0dda38f55821f87a
Opcode Fuzzy Hash: a250763622a5c5a02807649d3e5b7b05d987c1a92c09ba866dc0e7d5ca687602
Instruction Fuzzy Hash: 8911B9B214011DBEEF215F64CC85EE77F5DEF08798F004110BB18A2090C672DC61EBA4

Function 00EAD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EAD7A3: _free.LIBCMT ref: 00EAD7CC

_free.LIBCMT ref: 00EAD82D

Part of subcall function 00EA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EAD7D1,00000000,00000000,00000000,00000000,?,00EAD7F8,00000000,00000007,00000000,?,00EADBF5,00000000), ref: 00EA29DE
Part of subcall function 00EA29C8: GetLastError.KERNEL32(00000000,?,00EAD7D1,00000000,00000000,00000000,00000000,?,00EAD7F8,00000000,00000007,00000000,?,00EADBF5,00000000,00000000), ref: 00EA29F0

_free.LIBCMT ref: 00EAD838
_free.LIBCMT ref: 00EAD843
_free.LIBCMT ref: 00EAD897
_free.LIBCMT ref: 00EAD8A2
_free.LIBCMT ref: 00EAD8AD
_free.LIBCMT ref: 00EAD8B8

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 7a14740361050685d85a66d7363c091873734387064162a14f0ab48bd7523415
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: F8115171544B04AAD525BFB0CC47FCB7BDC6F4A700F40182AB29ABE8A2DA65B5054751

Function 00EDDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EDDA74
LoadStringW.USER32(00000000), ref: 00EDDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EDDA91
LoadStringW.USER32(00000000), ref: 00EDDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EDDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00EDDAB9

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 5960f1884b83ee77d19f79dea10ab2942dcdae0c35bc1c7b63d183d52e109a31
Instruction ID: 608b571b6df763581c5da7b889d3e4451d2df8645d838ff38e6e221737eedfd9
Opcode Fuzzy Hash: 5960f1884b83ee77d19f79dea10ab2942dcdae0c35bc1c7b63d183d52e109a31
Instruction Fuzzy Hash: 9B0186F690020CBFE710DBA4DD89EEB336CE708701F405592B706E2081E6749E855FB4

Function 00EE096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(018DE408,018DE408), ref: 00EE097B
EnterCriticalSection.KERNEL32(018DE3E8,00000000), ref: 00EE098D
TerminateThread.KERNEL32(454D414E,000001F6), ref: 00EE099B
WaitForSingleObject.KERNEL32(454D414E,000003E8), ref: 00EE09A9
CloseHandle.KERNEL32(454D414E), ref: 00EE09B8
InterlockedExchange.KERNEL32(018DE408,000001F6), ref: 00EE09C8
LeaveCriticalSection.KERNEL32(018DE3E8), ref: 00EE09CF

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ed058b545c82f301180ad3f59fed497b153c2a53b083a29663c7ffd247db62e3
Instruction ID: e8cd5c4e3f2f511a2f1d7e5529da5d92292d08f70f1cf7ca406a443ebbb13253
Opcode Fuzzy Hash: ed058b545c82f301180ad3f59fed497b153c2a53b083a29663c7ffd247db62e3
Instruction Fuzzy Hash: 81F03C32442A06BBD7525FA5EE8CBD6BB39FF41702F402225F202A0CA1C7759465DFD0

Function 00E75D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E75D30
GetWindowRect.USER32(?,?), ref: 00E75D71
ScreenToClient.USER32(?,?), ref: 00E75D99
GetClientRect.USER32(?,?), ref: 00E75ED7
GetWindowRect.USER32(?,?), ref: 00E75EF8

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 83e619c173c2af6f65fc18227ae643a045476b6ba6a5064c7cdf0d279878da8d
Instruction ID: edc2500546ed6989ef921367d1378c39e64064cb79161478adb358ffedb31e55
Opcode Fuzzy Hash: 83e619c173c2af6f65fc18227ae643a045476b6ba6a5064c7cdf0d279878da8d
Instruction Fuzzy Hash: 29B18B75A00B4ADBDB14CFA9C4407EEB7F1FF48314F14A51AE8A9E7290DB30AA51DB50

Function 00EA01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00EA00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA00D6
__allrem.LIBCMT ref: 00EA00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA010B
__allrem.LIBCMT ref: 00EA0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA0140

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: c8c4e6f22b19169421b8f794d38f0f77fd82e5ae99b601d11327fc07e5cabf39
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: F481E871B01706ABEB249F68CC41BAB73E9AF5A328F24553EF551FB281E770E9008750

Function 00EF1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF3149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00EF3195

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00EF1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00EF1DE1
WSAGetLastError.WSOCK32 ref: 00EF1DF2
inet_ntoa.WSOCK32(?), ref: 00EF1E8C
htons.WSOCK32(?), ref: 00EF1EDB
_strlen.LIBCMT ref: 00EF1F35

Part of subcall function 00ED39E8: _strlen.LIBCMT ref: 00ED39F2

Part of subcall function 00E76D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00E8CF58,?,?,?), ref: 00E76DBA
Part of subcall function 00E76D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00E8CF58,?,?,?), ref: 00E76DED

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 2489d053267b49752885cc2dbe54a1f861180721ccf7ef30abccdba8ec7e267f
Instruction ID: 060cd3978b5b10ff3f56030bead668a4ed1278bbef9837d066068f806a12bd61
Opcode Fuzzy Hash: 2489d053267b49752885cc2dbe54a1f861180721ccf7ef30abccdba8ec7e267f
Instruction Fuzzy Hash: FAA1C231204348AFD324DF24C895F3A77E5AF84318F54A98CF55A6B2A2DB31ED45CB92

Function 00EA61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E982D9,00E982D9,?,?,?,00EA644F,00000001,00000001,?), ref: 00EA6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00EA644F,00000001,00000001,?,?,?,?), ref: 00EA62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00EA63D8
__freea.LIBCMT ref: 00EA63E5

Part of subcall function 00EA3820: RtlAllocateHeap.NTDLL(00000000,?,00F41444,?,00E8FDF5,?,?,00E7A976,00000010,00F41440,00E713FC,?,00E713C6,?,00E71129), ref: 00EA3852

__freea.LIBCMT ref: 00EA63EE
__freea.LIBCMT ref: 00EA6413

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 794852b6fd68348542cfcc4025de56be1b071fac841ca8904881cc38dfb58b0e
Instruction ID: 3480b8bea73d879ffef1b9aa220ed84afd7b99b5c63481ccf88f6a7bf1ee49f4
Opcode Fuzzy Hash: 794852b6fd68348542cfcc4025de56be1b071fac841ca8904881cc38dfb58b0e
Instruction Fuzzy Hash: 4451D372A00216ABDF258F64CC81EAF77E9EF9B714F185629F805FA150DB34EC45C6A0

Function 00EFBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

Part of subcall function 00EFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EFB6AE,?,?), ref: 00EFC9B5
Part of subcall function 00EFC998: _wcslen.LIBCMT ref: 00EFC9F1
Part of subcall function 00EFC998: _wcslen.LIBCMT ref: 00EFCA68
Part of subcall function 00EFC998: _wcslen.LIBCMT ref: 00EFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EFBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EFBD25
RegCloseKey.ADVAPI32(00000000), ref: 00EFBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EFBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EFBDF3
RegCloseKey.ADVAPI32(?), ref: 00EFBDFF

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: ae211b796653ab6031721ced69042bdcdc515f2f47432b6b36bd72faac826c20
Instruction ID: 5000b73e00b2fe55d10911a4b21d16c56781cd0540ea3cb9e354637e0c496eaf
Opcode Fuzzy Hash: ae211b796653ab6031721ced69042bdcdc515f2f47432b6b36bd72faac826c20
Instruction Fuzzy Hash: E5819E30208245EFD714DF24C885E6ABBE5FF84308F14995CF6599B2A2DB32ED45CB92

Function 00ECF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00ECF7B9
SysAllocString.OLEAUT32(00000001), ref: 00ECF860
VariantCopy.OLEAUT32(00ECFA64,00000000), ref: 00ECF889
VariantClear.OLEAUT32(00ECFA64), ref: 00ECF8AD
VariantCopy.OLEAUT32(00ECFA64,00000000), ref: 00ECF8B1
VariantClear.OLEAUT32(?), ref: 00ECF8BB

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 59c1981f78e0937fa3a1d513ba8e4c080c559da45473df5c8c4625707ebb4817
Instruction ID: 16a93150a5c007c8a74d07b01e04cd2c853ceaeb0856e814b53fc026f06fa813
Opcode Fuzzy Hash: 59c1981f78e0937fa3a1d513ba8e4c080c559da45473df5c8c4625707ebb4817
Instruction Fuzzy Hash: 8551D435600300ABCF24ABA5D995F69B3E6EF85310B20A46BE905FF291DB718C41C797

Function 00EE910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00E77620: _wcslen.LIBCMT ref: 00E77625

Part of subcall function 00E76B57: _wcslen.LIBCMT ref: 00E76B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00EE94E5
_wcslen.LIBCMT ref: 00EE9506
_wcslen.LIBCMT ref: 00EE952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00EE9585

Strings

X, xrefs: 00EE9412

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 79fce430116d272017f600448e39a2810cd5fa9c1379e99281a1abfadc8d3dfa
Instruction ID: fe7fcbfad4770f7933d59310c36e473149d4d97b023dd2d3a22672d27da692b7
Opcode Fuzzy Hash: 79fce430116d272017f600448e39a2810cd5fa9c1379e99281a1abfadc8d3dfa
Instruction Fuzzy Hash: F6E1AF31508340DFD724EF25C881A6AB7E5BF84314F14996DF89DAB2A2DB31DD05CB92

Function 00E8920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E89BB2

BeginPaint.USER32(?,?,?), ref: 00E89241
GetWindowRect.USER32(?,?), ref: 00E892A5
ScreenToClient.USER32(?,?), ref: 00E892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E892D3
EndPaint.USER32(?,?,?,?,?), ref: 00E89321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00EC71EA

Part of subcall function 00E89339: BeginPath.GDI32(00000000), ref: 00E89357

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: aee1bc88cd05e41f4cae2a81c1f0a8ebed603f9f9018c471ec1d82de2229baed
Instruction ID: b009f04d0571a8c38056066f64ddd663feb555b0ca573f50894a060dcb082c3c
Opcode Fuzzy Hash: aee1bc88cd05e41f4cae2a81c1f0a8ebed603f9f9018c471ec1d82de2229baed
Instruction Fuzzy Hash: 1041A130505204AFD721EF24DC84FBA7BE8FB56724F180229F998A72F2C7719845EB61

Function 00EE07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00EE080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00EE0847
EnterCriticalSection.KERNEL32(?), ref: 00EE0863
LeaveCriticalSection.KERNEL32(?), ref: 00EE08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00EE08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00EE0921

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 4421de8248c1d16aab75587746b2e3cc7d0144978f9499c5ba3eb67ca08b4376
Instruction ID: da546fd1e7ff5a8e70b4551d10684e31df535f1f0695298752128935af2dfa85
Opcode Fuzzy Hash: 4421de8248c1d16aab75587746b2e3cc7d0144978f9499c5ba3eb67ca08b4376
Instruction Fuzzy Hash: DB419A31900209EFDF14EF54DC85AAA77B9FF44310F1040A9ED04AA297DB70DEA0DBA4

Function 00F081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00ECF3AB,00000000,?,?,00000000,?,00EC682C,00000004,00000000,00000000), ref: 00F0824C
EnableWindow.USER32(00000000,00000000), ref: 00F08272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00F082D1
ShowWindow.USER32(00000000,00000004), ref: 00F082E5
EnableWindow.USER32(00000000,00000001), ref: 00F0830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00F0832F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a22d477dd7a95897914911a47a599ec197964b2cadd11cd9b0245371f7692bc2
Instruction ID: 75554ff648989e6e8ebfa6ed197432320214f47b87c848f7f25c87b4b7c0dc0f
Opcode Fuzzy Hash: a22d477dd7a95897914911a47a599ec197964b2cadd11cd9b0245371f7692bc2
Instruction Fuzzy Hash: 90418734A01648AFDF25CF15CC99BE47BE1FB5A764F184269E9884B2E2CB315842FF50

Function 00ED4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00ED4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00ED4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00ED4CEA
_wcslen.LIBCMT ref: 00ED4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00ED4D10
_wcsstr.LIBVCRUNTIME ref: 00ED4D1A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ca6390504c8cce580090bddb234026845e9497356245420a6d6fd9c94807e576
Instruction ID: 920929ffbbac6709af3c8f69f265db251ccfe7ae6edbce571e5f3505b34e786d
Opcode Fuzzy Hash: ca6390504c8cce580090bddb234026845e9497356245420a6d6fd9c94807e576
Instruction Fuzzy Hash: 3F2107B1204204BBEB255B25DC49E7B7BDDDF55750F10502AF809EA2D1DA71CC4297A0

Function 00EE581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E73A97,?,?,00E72E7F,?,?,?,00000000), ref: 00E73AC2

_wcslen.LIBCMT ref: 00EE587B
CoInitialize.OLE32(00000000), ref: 00EE5995
CoCreateInstance.OLE32(00F0FCF8,00000000,00000001,00F0FB68,?), ref: 00EE59AE
CoUninitialize.OLE32 ref: 00EE59CC

Strings

.lnk, xrefs: 00EE5876, 00EE58C1, 00EE5985

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 13e5dd306798eac4a9ded1c7e2e8db8eca37151d29aaecb6f734af541c7768d4
Instruction ID: 3fb8189009b4ee1d9872727930cc0de5f4778b467a120b7dd566b83a592e81b9
Opcode Fuzzy Hash: 13e5dd306798eac4a9ded1c7e2e8db8eca37151d29aaecb6f734af541c7768d4
Instruction Fuzzy Hash: FDD185726047059FC714DF25C48096ABBE1FF89718F14985DF889AB362C732EC05CB92

Function 00ED175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00ED0FCA
Part of subcall function 00ED0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00ED0FD6
Part of subcall function 00ED0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00ED0FE5
Part of subcall function 00ED0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00ED0FEC
Part of subcall function 00ED0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00ED1002

GetLengthSid.ADVAPI32(?,00000000,00ED1335), ref: 00ED17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00ED17BA
HeapAlloc.KERNEL32(00000000), ref: 00ED17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00ED17DA
GetProcessHeap.KERNEL32(00000000,00000000,00ED1335), ref: 00ED17EE
HeapFree.KERNEL32(00000000), ref: 00ED17F5

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 35154978434738a4baa5c63c08bfef5c7c04b5ac963eb81bcdb8ad547c3e94a0
Instruction ID: 341a8461718f4ac391640b3d182607ea84517f95cdb86b7b92c70164ce7de153
Opcode Fuzzy Hash: 35154978434738a4baa5c63c08bfef5c7c04b5ac963eb81bcdb8ad547c3e94a0
Instruction Fuzzy Hash: B311BE31604209FFDB209FA4CC49BAF7BB9FB46359F10425AF441A7221C735A941DBA0

Function 00ED14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00ED14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00ED1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00ED1515
CloseHandle.KERNEL32(00000004), ref: 00ED1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ED154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00ED1563

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bacb761e7811fb543f23eaadcbd783468f30bc8c2edec71c5ba2be66f5118bcf
Instruction ID: 49ca953fec392bff0a49d1b5c9e701aac541e8618528354bce926afcc9374332
Opcode Fuzzy Hash: bacb761e7811fb543f23eaadcbd783468f30bc8c2edec71c5ba2be66f5118bcf
Instruction Fuzzy Hash: DB11297250420DBBDF118F98ED49BDE7BA9FF48748F048155FA05A21A0C3758E61EBA1

Function 00E93382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E93379,00E92FE5), ref: 00E93390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E9339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E933B7
SetLastError.KERNEL32(00000000,?,00E93379,00E92FE5), ref: 00E93409

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f8bb772a4a1d5271c44b04ee01b737d5f0aa49ed2fdf040704bd278721a492b3
Instruction ID: 51cb7a6ad6e64b7ab44bc90aac1eb34e9599c98577480611ec6e49fd2364aaea
Opcode Fuzzy Hash: f8bb772a4a1d5271c44b04ee01b737d5f0aa49ed2fdf040704bd278721a492b3
Instruction Fuzzy Hash: BE01247260D315BEEF2867747D859673E94EB153793202329F420F01F1EF114E016284

Function 00EA2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EA5686,00EB3CD6,?,00000000,?,00EA5B6A,?,?,?,?,?,00E9E6D1,?,00F38A48), ref: 00EA2D78
_free.LIBCMT ref: 00EA2DAB
_free.LIBCMT ref: 00EA2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00E9E6D1,?,00F38A48,00000010,00E74F4A,?,?,00000000,00EB3CD6), ref: 00EA2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00E9E6D1,?,00F38A48,00000010,00E74F4A,?,?,00000000,00EB3CD6), ref: 00EA2DEC
_abort.LIBCMT ref: 00EA2DF2

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 17782dbe87003814b837dbf5ec5058d6c21a252d1add90b00718dd354233a15c
Instruction ID: a60646dd4e1ff8e2d46f261c436003b2fa3428c85a49cfd1b187dc988a68d642
Opcode Fuzzy Hash: 17782dbe87003814b837dbf5ec5058d6c21a252d1add90b00718dd354233a15c
Instruction Fuzzy Hash: ADF0A93150550027C222373D7C06B5B2A96AFCB775B25251CFA24BE1D3EF24B8016161

Function 00F08A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E89693
Part of subcall function 00E89639: SelectObject.GDI32(?,00000000), ref: 00E896A2
Part of subcall function 00E89639: BeginPath.GDI32(?), ref: 00E896B9
Part of subcall function 00E89639: SelectObject.GDI32(?,00000000), ref: 00E896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00F08A4E
LineTo.GDI32(?,00000003,00000000), ref: 00F08A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00F08A70
LineTo.GDI32(?,00000000,00000003), ref: 00F08A80
EndPath.GDI32(?), ref: 00F08A90
StrokePath.GDI32(?), ref: 00F08AA0

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5c10f26fdbab7869f052c250236c3e4065dfdb8fa721394614018e15bd416417
Instruction ID: d087571ae6a4d048435d1b886ec23722cc7f65b7c91e7bad60593afd52b47906
Opcode Fuzzy Hash: 5c10f26fdbab7869f052c250236c3e4065dfdb8fa721394614018e15bd416417
Instruction Fuzzy Hash: 2811097640010CFFEB129F90DC88EAA7F6DFB08390F048112FA199A1A1C7719D55EBA0

Function 00ED51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00ED5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00ED5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ED5230
ReleaseDC.USER32(00000000,00000000), ref: 00ED5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00ED524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00ED5261

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ca242e201e8034fdcd17ff8b256e48530296f09d6c744f208dbbcd7300faaa7b
Instruction ID: ab6027ec7aaffcfc8de7e7442732616d8b0359919b2fa02b7a0ac4e62b4f91ab
Opcode Fuzzy Hash: ca242e201e8034fdcd17ff8b256e48530296f09d6c744f208dbbcd7300faaa7b
Instruction Fuzzy Hash: 3C018F75A00708BBEB109BA59D49F4EBFB8FB48351F044166FA04A7390D6709805DBA0

Function 00E71BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E71BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E71BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E71C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E71C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E71C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E71C22

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6f92590c3d0c2bac8bce027f106a2faf61d3455d05757b9a9fe54b4f9abd0b82
Instruction ID: 0b5d4fb6d38cccd8409e37fb4db7bf2f32982bc958864aa2a3e3757625ee5aa5
Opcode Fuzzy Hash: 6f92590c3d0c2bac8bce027f106a2faf61d3455d05757b9a9fe54b4f9abd0b82
Instruction Fuzzy Hash: 64016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 00EDEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EDEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EDEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00EDEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EDEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EDEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EDEB75

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 69eb99a75c207a862e19cea8e7ef094754bc4f014a5c04ff586c24125dca9bd9
Instruction ID: e041265999da6b5dfd3e9aebb0c7a9f12bbbee7d2783dd074a1aa2d052568ac9
Opcode Fuzzy Hash: 69eb99a75c207a862e19cea8e7ef094754bc4f014a5c04ff586c24125dca9bd9
Instruction Fuzzy Hash: EBF01772240158BBE6315B629C0EEAB3A7CFBCAB15F004259FA01E119196A15A01AAF5

Function 00EC7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00EC7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00EC7469
GetWindowDC.USER32(?), ref: 00EC7475
GetPixel.GDI32(00000000,?,?), ref: 00EC7484
ReleaseDC.USER32(?,00000000), ref: 00EC7496
GetSysColor.USER32(00000005), ref: 00EC74B0

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: eab988412466392429c6207136497007b5bdae9f02ad3a28335734e4cce4a6f9
Instruction ID: 9420838feaf729974bb4175684355f4d61cd254b18a69fa82590e5e413bd4363
Opcode Fuzzy Hash: eab988412466392429c6207136497007b5bdae9f02ad3a28335734e4cce4a6f9
Instruction Fuzzy Hash: 0E014B31400619EFDB615F64DD08FFA7BB5FB04321F550264FE69A21A1CB321E52AF90

Function 00ED1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00ED187F
UnloadUserProfile.USERENV(?,?), ref: 00ED188B
CloseHandle.KERNEL32(?), ref: 00ED1894
CloseHandle.KERNEL32(?), ref: 00ED189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00ED18A5
HeapFree.KERNEL32(00000000), ref: 00ED18AC

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 590dba6c549c34dc772f2be29ed6cede4f309567b32183508d084c4efcf00171
Instruction ID: 9d385d1665dc4c7600d383bf98b600e7ca7f47b55470611eb24fcb79a4e67756
Opcode Fuzzy Hash: 590dba6c549c34dc772f2be29ed6cede4f309567b32183508d084c4efcf00171
Instruction Fuzzy Hash: 17E07576104509BBEB015FA6ED0C94ABF79FF49B22B508725F265814B1CB329461EFD0

Function 00EF7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00E90242: EnterCriticalSection.KERNEL32(00F4070C,00F41884,?,?,00E8198B,00F42518,?,?,?,00E712F9,00000000), ref: 00E9024D
Part of subcall function 00E90242: LeaveCriticalSection.KERNEL32(00F4070C,?,00E8198B,00F42518,?,?,?,00E712F9,00000000), ref: 00E9028A

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

Part of subcall function 00E900A3: __onexit.LIBCMT ref: 00E900A9

__Init_thread_footer.LIBCMT ref: 00EF7BFB

Part of subcall function 00E901F8: EnterCriticalSection.KERNEL32(00F4070C,?,?,00E88747,00F42514), ref: 00E90202
Part of subcall function 00E901F8: LeaveCriticalSection.KERNEL32(00F4070C,?,00E88747,00F42514), ref: 00E90235

Strings

+T, xrefs: 00EF7E2E
G, xrefs: 00EF7C7F
5, xrefs: 00EF7C78
Variable must be of type 'Object'., xrefs: 00EF7C3A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4125810065
Opcode ID: 87b80418432b30acdf91c5cf6d7e56f3ae5904d90f235ce89a79a567518102a6
Instruction ID: 741578cea5840a8f52dc0bf10fdb460084747035a09e800c12813dd96edc709e
Opcode Fuzzy Hash: 87b80418432b30acdf91c5cf6d7e56f3ae5904d90f235ce89a79a567518102a6
Instruction Fuzzy Hash: DA919A70A04209EFCB04EF54D881DBDB7B1FF49308F549059FA8AAB292DB31AE41DB51

Function 00EDC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77620: _wcslen.LIBCMT ref: 00E77625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EDC6EE
_wcslen.LIBCMT ref: 00EDC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EDC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EDC7CA

Strings

0, xrefs: 00EDC6AF

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: b182b2765c111502ec6e3373faa3cf0240abd4829e6dfe172209361a0e3cf305
Instruction ID: cb1b4476340ba10f0728e28f4214912496fad403ac1dc009c8bdf7c0821a0f49
Opcode Fuzzy Hash: b182b2765c111502ec6e3373faa3cf0240abd4829e6dfe172209361a0e3cf305
Instruction Fuzzy Hash: C251E0716043029BD7149F38C884B6A77E4EF89398F242A2BF995F22D0DB70D846DB52

Function 00EFAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00EFAEA3

Part of subcall function 00E77620: _wcslen.LIBCMT ref: 00E77625

GetProcessId.KERNEL32(00000000), ref: 00EFAF38
CloseHandle.KERNEL32(00000000), ref: 00EFAF67

Strings

<, xrefs: 00EFAE6B
@, xrefs: 00EFAE72

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 6c2caf3923bb66be671543ab06047a61a73ec9a323d36174a8bcb786391d91fa
Instruction ID: fa8b21096dee945819ecba9a9a226880f8e1ee53a61c86e1180963036ed728af
Opcode Fuzzy Hash: 6c2caf3923bb66be671543ab06047a61a73ec9a323d36174a8bcb786391d91fa
Instruction Fuzzy Hash: 39714871A00219DFCB14DF54C484AAEBBF5BF08314F1894A9E95AAF352C774ED41CB91

Function 00ED719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00ED7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00ED723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00ED724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00ED72CF

Strings

DllGetClassObject, xrefs: 00ED7242

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 39a88e302bb0b936bba0dc59d3593d61261b706d78d0a769c1f9cc18a710ef12
Instruction ID: 38e30f5c3300a0035dbe80aaf86cd5f9cdc0d4576744246cd1e62fb3c56892bd
Opcode Fuzzy Hash: 39a88e302bb0b936bba0dc59d3593d61261b706d78d0a769c1f9cc18a710ef12
Instruction Fuzzy Hash: AA41AEB1A04204EFDB15CF54C884A9A7BA9EF44314F1090AEBD45AF31AE7B1DD46DBA0

Function 00F03D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F03E35
IsMenu.USER32(?), ref: 00F03E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F03E92
DrawMenuBar.USER32 ref: 00F03EA5

Strings

0, xrefs: 00F03D89

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: e81e70a83634fc2f2face8683abd4f19a171d48c47e85b43c731a1c98e2bee97
Instruction ID: 1e472d20e56315a95f05154333e849b70448c7f3937f8eb629cc3dfb37cca1a2
Opcode Fuzzy Hash: e81e70a83634fc2f2face8683abd4f19a171d48c47e85b43c731a1c98e2bee97
Instruction Fuzzy Hash: 8B413B75A01209EFDB10DF50D884EEABBB9FF49364F044229F905A7290D730AE49EF90

Function 00ED1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

Part of subcall function 00ED3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00ED3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00ED1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00ED1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00ED1EA9

Part of subcall function 00E76B57: _wcslen.LIBCMT ref: 00E76B6A

Strings

ComboBox, xrefs: 00ED1DF0
ListBox, xrefs: 00ED1E25

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: a14fb0118698e5ff21761af7725e3946ad98bc66c141918de969e1a89601d190
Instruction ID: 29dbf9f9157377012ee12a1d3018c21b09c390a1ed1bcef47a0bd78f7f5934a8
Opcode Fuzzy Hash: a14fb0118698e5ff21761af7725e3946ad98bc66c141918de969e1a89601d190
Instruction Fuzzy Hash: 33212771A00104BEDB14AB64DC46CFFB7F9EF45368B14A11AFC29B72E1DB35490B9660

Function 00EFC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EFC9F1
_wcslen.LIBCMT ref: 00EFCA68
_wcslen.LIBCMT ref: 00EFCA9E
_wcslen.LIBCMT ref: 00EFCAF9
_wcslen.LIBCMT ref: 00EFCB2F
_wcslen.LIBCMT ref: 00EFCB7F

Strings

HKLM, xrefs: 00EFCA98, 00EFCA9D
HKEY_LOCAL_MACHINE, xrefs: 00EFCA62, 00EFCA67

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 2d6cd66d35cf1f86671fedb6dab3c4b9387b2ffd5faceb217d8fdb7128d842e2
Instruction ID: e5bbe6b667758072860fedc2d3648c1685ecc8de25e6d315740c95f6f023b5e4
Opcode Fuzzy Hash: 2d6cd66d35cf1f86671fedb6dab3c4b9387b2ffd5faceb217d8fdb7128d842e2
Instruction Fuzzy Hash: 39310973A0096E4BCB20EF6C8A514BE33915BA1758F356029ED477B245EA71ED40D3A0

Function 00F02F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F02F8D
LoadLibraryW.KERNEL32(?), ref: 00F02F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F02FA9
DestroyWindow.USER32(?), ref: 00F02FB1

Strings

SysAnimate32, xrefs: 00F02F68

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 4839e12e9956961abf2221e6518bbb08a83ee10018e571886952523c9ef034f0
Instruction ID: 832a39a20d81d622872014be9c0b5d8c091e671c01f02d86ac29ee24fae85cdc
Opcode Fuzzy Hash: 4839e12e9956961abf2221e6518bbb08a83ee10018e571886952523c9ef034f0
Instruction Fuzzy Hash: 1921B872A0020AEBEB215F649C88EBB77B9EB593B5F100218FA10921D0C771DC81B7B0

Function 00E94D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E94D1E,00EA28E9,(,00E94CBE,00000000,00F388B8,0000000C,00E94E15,(,00000002), ref: 00E94D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E94DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00E94D1E,00EA28E9,(,00E94CBE,00000000,00F388B8,0000000C,00E94E15,(,00000002,00000000), ref: 00E94DC3

Strings

mscoree.dll, xrefs: 00E94D86
CorExitProcess, xrefs: 00E94D98

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7b5f9266d967e2afe892522f4d6e988e4b4d7d629460a634fce54c5023d1b1ab
Instruction ID: b58a395c6bf8b9d32783b83bdb79183786595299c21252b80bdcda3888fbde08
Opcode Fuzzy Hash: 7b5f9266d967e2afe892522f4d6e988e4b4d7d629460a634fce54c5023d1b1ab
Instruction Fuzzy Hash: F7F03C74A4020CABDB159B90DC49BEDBBA5EB44756F0402A4F809A22A0DB709981EBD1

Function 00E74E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E74EDD,?,00F41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E74E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E74EAE
FreeLibrary.KERNEL32(00000000,?,?,00E74EDD,?,00F41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E74EC0

Strings

kernel32.dll, xrefs: 00E74E94
Wow64DisableWow64FsRedirection, xrefs: 00E74EA8

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: b994d5247bb1685eec9ad18d5435caf5e684379b4c3d218f1947daa60973d288
Instruction ID: e25547401fc4dffbd9244191f289f12c2f33fca29d1225174027e25fbdcd7b66
Opcode Fuzzy Hash: b994d5247bb1685eec9ad18d5435caf5e684379b4c3d218f1947daa60973d288
Instruction Fuzzy Hash: 1AE0CD76A015225BD23117256C18F6F7554FFC1F76B054215FC04F7180DB64CD01A1E1

Function 00E74E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EB3CDE,?,00F41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E74E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E74E74
FreeLibrary.KERNEL32(00000000,?,?,00EB3CDE,?,00F41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E74E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00E74E6E
kernel32.dll, xrefs: 00E74E5B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 52253553adb7955a9f20c587f517b451e72957e3b0043511ae5e0e39a495c4f8
Instruction ID: a6dddf9133a752ae96ed242a565801d3e4295539d87458be657a8ea743947385
Opcode Fuzzy Hash: 52253553adb7955a9f20c587f517b451e72957e3b0043511ae5e0e39a495c4f8
Instruction Fuzzy Hash: 6AD0C23250262257C7221B246C08D8B7A1CFF85B393055311BC08F6194CF60CD01A2D0

Function 00EFA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00EFA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EFA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EFA468
CloseHandle.KERNEL32(?), ref: 00EFA63D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 98cd89f6a0b9f885b9cecba07bd582da741faadf10c5a77e54a7c767a2039c19
Instruction ID: 4476acc5009240c8b6a559062cc31c794731b37d8f949e5afdba6520c17e8e01
Opcode Fuzzy Hash: 98cd89f6a0b9f885b9cecba07bd582da741faadf10c5a77e54a7c767a2039c19
Instruction Fuzzy Hash: 07A172B16043019FD724DF24C886F2AB7E5AF84714F18986DF95EAB392D770EC418B92

Function 00EDE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EDDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EDCF22,?), ref: 00EDDDFD

Part of subcall function 00EDDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EDCF22,?), ref: 00EDDE16

Part of subcall function 00EDE199: GetFileAttributesW.KERNEL32(?,00EDCF95), ref: 00EDE19A

lstrcmpiW.KERNEL32(?,?), ref: 00EDE473
MoveFileW.KERNEL32(?,?), ref: 00EDE4AC
_wcslen.LIBCMT ref: 00EDE5EB
_wcslen.LIBCMT ref: 00EDE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00EDE650

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 6036a27c64b293de3f4aa3fda951f36724ded7305d8f36c6fc9dfaeea9c03981
Instruction ID: 6dbc869f0d093fccb8e3180300180ef43d6fb8c5ce7d5a3cd7ffadabcf6dde63
Opcode Fuzzy Hash: 6036a27c64b293de3f4aa3fda951f36724ded7305d8f36c6fc9dfaeea9c03981
Instruction Fuzzy Hash: A55181B24083455BC724EB90DC859DFB3ECEF84344F00591FF599E7291EE34A5898766

Function 00EFB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

Part of subcall function 00EFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EFB6AE,?,?), ref: 00EFC9B5
Part of subcall function 00EFC998: _wcslen.LIBCMT ref: 00EFC9F1
Part of subcall function 00EFC998: _wcslen.LIBCMT ref: 00EFCA68
Part of subcall function 00EFC998: _wcslen.LIBCMT ref: 00EFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EFBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EFBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EFBB63
RegCloseKey.ADVAPI32(?,?), ref: 00EFBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00EFBBB3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 6ec3c985ac17ee131b64ba6fd315199f611ec36a6cbcade1e2c5aa1458b34af7
Instruction ID: 1cfae001fa0b7cbeda145309e10910fcf80b815b1c4e1acdafd9a87407f4f6ee
Opcode Fuzzy Hash: 6ec3c985ac17ee131b64ba6fd315199f611ec36a6cbcade1e2c5aa1458b34af7
Instruction Fuzzy Hash: 1261AF31208245AFD714DF14C891E3ABBE5FF84308F14999CF5999B2A2DB31ED45CB92

Function 00ED8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00ED8BCD
VariantClear.OLEAUT32 ref: 00ED8C3E
VariantClear.OLEAUT32 ref: 00ED8C9D
VariantClear.OLEAUT32(?), ref: 00ED8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00ED8D3B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 5fb8ccdc13c90e0c3c8ba591505cdcfab24988a4c1c4babd439d40ea2cc68c84
Instruction ID: 1add4a50caaa652cfb023487d64ae562995a6383f567bf443b437a42eaa6c1c3
Opcode Fuzzy Hash: 5fb8ccdc13c90e0c3c8ba591505cdcfab24988a4c1c4babd439d40ea2cc68c84
Instruction Fuzzy Hash: 1A515DB5A00619EFCB14CF58C894AAAB7F9FF89314B15855AF905EB350E730E912CF90

Function 00EE8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EE8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00EE8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EE8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EE8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EE8C5F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6cb52a97722a8f9fb86e1bba1b912c6fdc2cfdfa6799af2d9bcb7bf07b5e5660
Instruction ID: 8eb4cb5947761bf23528743e1bd16e9842a7d6c1fa07af8820f6b6fe39819fe6
Opcode Fuzzy Hash: 6cb52a97722a8f9fb86e1bba1b912c6fdc2cfdfa6799af2d9bcb7bf07b5e5660
Instruction Fuzzy Hash: 88513735A00218AFCB05DF65C881A6ABBF5FF49314F18D458E84DAB3A2CB31ED51CB91

Function 00EF8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00EF8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00EF8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00EF8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00EF9032
FreeLibrary.KERNEL32(00000000), ref: 00EF9052

Part of subcall function 00E8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00EE1043,?,753CE610), ref: 00E8F6E6
Part of subcall function 00E8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00ECFA64,00000000,00000000,?,?,00EE1043,?,753CE610,?,00ECFA64), ref: 00E8F70D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ecc54340b81f63e43048a097935687639a35d451d178a4d91bc481fae4099099
Instruction ID: c1f8bfd6ac71056acbb332440072d2306cbc523d37f22f2f89201acde249050a
Opcode Fuzzy Hash: ecc54340b81f63e43048a097935687639a35d451d178a4d91bc481fae4099099
Instruction Fuzzy Hash: 2C514B35600209DFC715DF58C484DADBBF1FF49318B0891A9E94AAB362DB31ED85CB91

Function 00F06B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00F06C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00F06C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00F06C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00EEAB79,00000000,00000000), ref: 00F06C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00F06CC7

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: fa82c1cafac3653e6d6a9cf1623ee35f34ef36913a3a0877350cbad303c16d24
Instruction ID: 31a685e8fb5489892abf596b1b979e53e309dad9ed8b9bd401309b3dd641b4ca
Opcode Fuzzy Hash: fa82c1cafac3653e6d6a9cf1623ee35f34ef36913a3a0877350cbad303c16d24
Instruction Fuzzy Hash: D641D375A00104AFE724CF28CC58FA97BA5EB09360F154228FC99E72E0C371AD61FA80

Function 00EA2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EA20C3
_free.LIBCMT ref: 00EA20E3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 27338cb05e6bada451b124aec8c4573d1cc92355672431bef23a7ae28cee1eb9
Instruction ID: 91939099ad6a693100365f9241a8f7dbaf0a5007e57808deccaa13e8f8840f33
Opcode Fuzzy Hash: 27338cb05e6bada451b124aec8c4573d1cc92355672431bef23a7ae28cee1eb9
Instruction Fuzzy Hash: 5C41DE72A002049FCB24DF7CC880A5AB7E6EF8A724B1545ADE615FF391DA31BD01CB81

Function 00E8912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E89141
ScreenToClient.USER32(00000000,?), ref: 00E8915E
GetAsyncKeyState.USER32(00000001), ref: 00E89183
GetAsyncKeyState.USER32(00000002), ref: 00E8919D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 067887daeedfac221788f0a8bf877416f550e8d500611ccbe6250abef6c3e4a5
Instruction ID: 9659c6e27a89fbc2b65f8fe11668a122bc2a7ded59ad88dbb38559452e1f5360
Opcode Fuzzy Hash: 067887daeedfac221788f0a8bf877416f550e8d500611ccbe6250abef6c3e4a5
Instruction Fuzzy Hash: 99419D31A0861ABBDF05AF64C848BFEB774FB05324F288219E869B32D1C7356950DF91

Function 00EE3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00EE38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00EE3922
TranslateMessage.USER32(?), ref: 00EE394B
DispatchMessageW.USER32(?), ref: 00EE3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EE3966

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 2c38af37ae4f380b31e632682423191d696048969026d2415258cadbb4c26707
Instruction ID: f5274e742941a492ae917f7a5cca3c393fcafdab9efe57cdf0aba3c4cb99bf2b
Opcode Fuzzy Hash: 2c38af37ae4f380b31e632682423191d696048969026d2415258cadbb4c26707
Instruction Fuzzy Hash: 1231F9745043CD9EEB35CB36DC0CBB637A8BB52308F041569E852A31D5E3B69684DB21

Function 00EECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00EEC21E,00000000), ref: 00EECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00EECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00EEC21E,00000000), ref: 00EECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EEC21E,00000000), ref: 00EECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EEC21E,00000000), ref: 00EECFF2

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 6d9f9d5d56285b9c8f7055fd57f5dde5e647f13dd089c8600fa768d5d53fcd7b
Instruction ID: 6f1ee5f2c8d43177aa2d2f47f761145d6941983bae521c6d6182d8ddeb59d17e
Opcode Fuzzy Hash: 6d9f9d5d56285b9c8f7055fd57f5dde5e647f13dd089c8600fa768d5d53fcd7b
Instruction Fuzzy Hash: 2F315071604649EFDB20DFA6C884AABBBF9FF14355B20542EF50AE2150D730ED42DBA0

Function 00ED1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00ED1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00ED19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00ED19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00ED19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00ED19E2

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: fd50d66fab71faba01aa2fc47e874534e7552b94f4d9b7d666354c5e7bfeb717
Instruction ID: b8a1da79b9406c135678582d90249c6dc88dc537b9a425f076e92f3ee91f0def
Opcode Fuzzy Hash: fd50d66fab71faba01aa2fc47e874534e7552b94f4d9b7d666354c5e7bfeb717
Instruction Fuzzy Hash: 5F31CD71A00219EFCB10CFA8C9A8ADE3BB5FB44318F00536AF921AB2D1C3709945DB90

Function 00F05706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F05745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F0579D
_wcslen.LIBCMT ref: 00F057AF
_wcslen.LIBCMT ref: 00F057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F05816

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 800d6d6bd30ba19dcae6e58e8dfc35946c5e404ae329a2b6140fc799a883d06a
Instruction ID: cd81f429f2aef39405530bcbb42d1342ad1008f2d34e9d4fd5a320a304ebab9b
Opcode Fuzzy Hash: 800d6d6bd30ba19dcae6e58e8dfc35946c5e404ae329a2b6140fc799a883d06a
Instruction Fuzzy Hash: EF214175D04618AADF20DFA4CC85AEE77B8FF44B24F108256ED19AA1C0D7B09985FF50

Function 00EF0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00EF0951
GetForegroundWindow.USER32 ref: 00EF0968
GetDC.USER32(00000000), ref: 00EF09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00EF09B0
ReleaseDC.USER32(00000000,00000003), ref: 00EF09E8

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f2c1421b311129ac241ae86dcabbeed00d025b4da36877b8bfcf072936e5abf5
Instruction ID: f5fab17156c373dd34a2834202c661febeea5a86a44b500ff5b2d7d5204869be
Opcode Fuzzy Hash: f2c1421b311129ac241ae86dcabbeed00d025b4da36877b8bfcf072936e5abf5
Instruction Fuzzy Hash: B5218435600208AFD714EF65C945AAEB7E9FF84700F048169F94AA7362DB70AC44DB90

Function 00EACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EACDE9

Part of subcall function 00EA3820: RtlAllocateHeap.NTDLL(00000000,?,00F41444,?,00E8FDF5,?,?,00E7A976,00000010,00F41440,00E713FC,?,00E713C6,?,00E71129), ref: 00EA3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EACE0F
_free.LIBCMT ref: 00EACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EACE31

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 59cc8423d673fd3b7c5d73e81679187c10570f1313a33e6c6e64f86786d99557
Instruction ID: 43b5b99c7b8348ba712053608da951111821392e0e336a9a6327750ee56b56da
Opcode Fuzzy Hash: 59cc8423d673fd3b7c5d73e81679187c10570f1313a33e6c6e64f86786d99557
Instruction Fuzzy Hash: 5C01FC726012157F672117B66C4CC7B7E6DEECBBA53255229FD05FB201EA609D0191F0

Function 00E89639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E89693
SelectObject.GDI32(?,00000000), ref: 00E896A2
BeginPath.GDI32(?), ref: 00E896B9
SelectObject.GDI32(?,00000000), ref: 00E896E2

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c2b360f5521b51c0c3fd5fd53c0a93e51bade334cf93145522c1fe0b1d94a149
Instruction ID: ef4e8c491b383640cda99845c3cb9561d330b8ed0b72885d66440534139f494f
Opcode Fuzzy Hash: c2b360f5521b51c0c3fd5fd53c0a93e51bade334cf93145522c1fe0b1d94a149
Instruction Fuzzy Hash: A8215074802309EFDB11AF64DC14BBD3BA8BB61359F144216F828B61B1E3705895FF94

Function 00ED5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00ED5726
_memcmp.LIBVCRUNTIME ref: 00ED5744
_memcmp.LIBVCRUNTIME ref: 00ED5757
_memcmp.LIBVCRUNTIME ref: 00ED576F
_memcmp.LIBVCRUNTIME ref: 00ED5787

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ca06ce6b071b49aaa19daf68bb49e4c610bc96d7a6495f7dbba3b6ebe5c2c4c5
Instruction ID: 7e83766520e2625da23b14810c7eb32490eebcc95f7688b5887047d60d743ea9
Opcode Fuzzy Hash: ca06ce6b071b49aaa19daf68bb49e4c610bc96d7a6495f7dbba3b6ebe5c2c4c5
Instruction Fuzzy Hash: 8501D6A3641606FAE61891109D42EFA739CDB61398B205023FD04BA781F620ED2596A1

Function 00EA2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00E9F2DE,00EA3863,00F41444,?,00E8FDF5,?,?,00E7A976,00000010,00F41440,00E713FC,?,00E713C6), ref: 00EA2DFD
_free.LIBCMT ref: 00EA2E32
_free.LIBCMT ref: 00EA2E59
SetLastError.KERNEL32(00000000,00E71129), ref: 00EA2E66
SetLastError.KERNEL32(00000000,00E71129), ref: 00EA2E6F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8ef044d6ca62be369f4cc453445339081c5c474e501ddca4764291bbfdf9437d
Instruction ID: 8af2d65ed589b539662dd8fc3683d6b1bd44394bd0495740ac7e0b19c3000ed4
Opcode Fuzzy Hash: 8ef044d6ca62be369f4cc453445339081c5c474e501ddca4764291bbfdf9437d
Instruction Fuzzy Hash: F30149322046002BC623233D2C45D2B3699ABCF774720A12CF624FA1D2EF30EC412160

Function 00ED000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ECFF41,80070057,?,?,?,00ED035E), ref: 00ED002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ECFF41,80070057,?,?), ref: 00ED0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ECFF41,80070057,?,?), ref: 00ED0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ECFF41,80070057,?), ref: 00ED0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ECFF41,80070057,?,?), ref: 00ED0070

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 57e7953d421487597cba66a5059bbb85b8d914edbd162473a3139beb8b59edd5
Instruction ID: ad639f8d77ab5b3c4f1575f92da9403b1b8e56621849a3711f9f0b24aaf4485f
Opcode Fuzzy Hash: 57e7953d421487597cba66a5059bbb85b8d914edbd162473a3139beb8b59edd5
Instruction Fuzzy Hash: 5201AD72600208BFDB114F68DC04BAA7AEDFF84792F189625F905E2310E771DD41ABA0

Function 00EDE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00EDE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00EDE9A5
Sleep.KERNEL32(00000000), ref: 00EDE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00EDE9B7
Sleep.KERNEL32 ref: 00EDE9F3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e0b445745af4d2adea4344423ef11b8697180ba6f77e3e2b7f5d7e1046901e06
Instruction ID: f133d15b8248ef22efab2fb90c9bbbf0b4f085ca9409757478c01ca1244fdd7d
Opcode Fuzzy Hash: e0b445745af4d2adea4344423ef11b8697180ba6f77e3e2b7f5d7e1046901e06
Instruction Fuzzy Hash: DD015731C0262DDBCF04ABE5D86DAEEBB78FF48300F001696E502B6341CB3095529BA1

Function 00ED10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00ED1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00ED0B9B,?,?,?), ref: 00ED1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00ED0B9B,?,?,?), ref: 00ED112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00ED0B9B,?,?,?), ref: 00ED1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00ED114D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a85ba79d5d51a078f816a9dbef58d8a65819b42c3179d04ed849087a2523723f
Instruction ID: fd2c265c6aa34f13e59f66d04640b9cd03ef80e8669956291e08998e90263d03
Opcode Fuzzy Hash: a85ba79d5d51a078f816a9dbef58d8a65819b42c3179d04ed849087a2523723f
Instruction Fuzzy Hash: B0018C75201209BFEB114FA5DC49E6A3F7EFF893A4B210559FA45D3360DB31DC00AAA0

Function 00ED0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00ED0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00ED0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00ED0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00ED0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00ED1002

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 65b629044bd61206ddc084d6f15e4754e3f647cd613e9ae121b4974848e5d0cf
Instruction ID: 472f92fb9cf24f94f3dd931a930e6471383861da4ca4f4efc692315835ab587e
Opcode Fuzzy Hash: 65b629044bd61206ddc084d6f15e4754e3f647cd613e9ae121b4974848e5d0cf
Instruction Fuzzy Hash: 45F0A935200309BBDB211FA5AC49F563BAEFF89762F100519FA49D6291CA30DC409AA0

Function 00ED1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00ED102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00ED1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED1062

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 32ebb004106960f85279a9df131766333a268a5b9dbf21ef9874db79a22bba76
Instruction ID: 3f9ee33c6a336e7e5c2a8836653fd1c31fec8b28ef7db09773735b1b41a606a5
Opcode Fuzzy Hash: 32ebb004106960f85279a9df131766333a268a5b9dbf21ef9874db79a22bba76
Instruction Fuzzy Hash: B3F06D35200309FBDB216FA5EC49F563BADFF897A1F100515FA45D7251CA70D841EAA0

Function 00EE030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00EE017D,?,00EE32FC,?,00000001,00EB2592,?), ref: 00EE0324
CloseHandle.KERNEL32(?,?,?,?,00EE017D,?,00EE32FC,?,00000001,00EB2592,?), ref: 00EE0331
CloseHandle.KERNEL32(?,?,?,?,00EE017D,?,00EE32FC,?,00000001,00EB2592,?), ref: 00EE033E
CloseHandle.KERNEL32(?,?,?,?,00EE017D,?,00EE32FC,?,00000001,00EB2592,?), ref: 00EE034B
CloseHandle.KERNEL32(?,?,?,?,00EE017D,?,00EE32FC,?,00000001,00EB2592,?), ref: 00EE0358
CloseHandle.KERNEL32(?,?,?,?,00EE017D,?,00EE32FC,?,00000001,00EB2592,?), ref: 00EE0365

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fdbbba0e479be38a168456e3393b8ff104b48cce9aa348f8587591a92fd39c76
Instruction ID: 0c2a495f3f5b6299d0fb39d7499f244a1a5b395fa7cc9e2873bb80a3f1f1e1eb
Opcode Fuzzy Hash: fdbbba0e479be38a168456e3393b8ff104b48cce9aa348f8587591a92fd39c76
Instruction Fuzzy Hash: F101A272800B599FC7309F66D880412F7F5BF503193159A3FD19662931C3B1A994DF80

Function 00EAD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EAD752

Part of subcall function 00EA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EAD7D1,00000000,00000000,00000000,00000000,?,00EAD7F8,00000000,00000007,00000000,?,00EADBF5,00000000), ref: 00EA29DE
Part of subcall function 00EA29C8: GetLastError.KERNEL32(00000000,?,00EAD7D1,00000000,00000000,00000000,00000000,?,00EAD7F8,00000000,00000007,00000000,?,00EADBF5,00000000,00000000), ref: 00EA29F0

_free.LIBCMT ref: 00EAD764
_free.LIBCMT ref: 00EAD776
_free.LIBCMT ref: 00EAD788
_free.LIBCMT ref: 00EAD79A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bfe3fcfb8e7ffa8bfc26cc3b3504114c98e21b5421a33a897b5c0dcfee84cf7e
Instruction ID: 2657a8ebdf6be4e87f448c9b08c4ac282304a462d86925ff2af88469ec9d1c01
Opcode Fuzzy Hash: bfe3fcfb8e7ffa8bfc26cc3b3504114c98e21b5421a33a897b5c0dcfee84cf7e
Instruction Fuzzy Hash: DDF04432509208AF8655EB58FDC1C177BDEBB4E724795280AF145FB911C720FC8047A1

Function 00ED5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00ED5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00ED5C6F
MessageBeep.USER32(00000000), ref: 00ED5C87
KillTimer.USER32(?,0000040A), ref: 00ED5CA3
EndDialog.USER32(?,00000001), ref: 00ED5CBD

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 53dd8c0e9f8e5a3ec0cbd25b901fbc61fccabeae87fff68e40c38385ccb78d84
Instruction ID: e69226db23da39aef4b5fcef6b77cc90e3d892f50b2ffab1f9e976ab7ffdf6b1
Opcode Fuzzy Hash: 53dd8c0e9f8e5a3ec0cbd25b901fbc61fccabeae87fff68e40c38385ccb78d84
Instruction Fuzzy Hash: 0C018631510B08ABEB305B10DD4EFA6BBB8FB00B45F04165AA587B11E1DBF1A9859E90

Function 00EA22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EA22BE

Part of subcall function 00EA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EAD7D1,00000000,00000000,00000000,00000000,?,00EAD7F8,00000000,00000007,00000000,?,00EADBF5,00000000), ref: 00EA29DE
Part of subcall function 00EA29C8: GetLastError.KERNEL32(00000000,?,00EAD7D1,00000000,00000000,00000000,00000000,?,00EAD7F8,00000000,00000007,00000000,?,00EADBF5,00000000,00000000), ref: 00EA29F0

_free.LIBCMT ref: 00EA22D0
_free.LIBCMT ref: 00EA22E3
_free.LIBCMT ref: 00EA22F4
_free.LIBCMT ref: 00EA2305

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fb63b88ae4a3bcb79b7b01a878c2deac5630e0be9dfd29f9a771913807b63dc0
Instruction ID: 736fe4c95b2db66ff7615c126ae3d663321467d41c2b113a926b0af1c08a4e76
Opcode Fuzzy Hash: fb63b88ae4a3bcb79b7b01a878c2deac5630e0be9dfd29f9a771913807b63dc0
Instruction Fuzzy Hash: FBF030784002188F8752AF68BC0180A3FA5F76FB71700151EFA10FA371CB302651BBE5

Function 00E895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E895D4
StrokeAndFillPath.GDI32(?,?,00EC71F7,00000000,?,?,?), ref: 00E895F0
SelectObject.GDI32(?,00000000), ref: 00E89603
DeleteObject.GDI32 ref: 00E89616
StrokePath.GDI32(?), ref: 00E89631

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: dab2ff35648d55751a0766e0b6c9b55e285e5d2d1c554b1dba8f245e335a632b
Instruction ID: 84ee6ec56308f55a39b11eb56e878725eef89e372272c483d36c4d1a05d2f7b2
Opcode Fuzzy Hash: dab2ff35648d55751a0766e0b6c9b55e285e5d2d1c554b1dba8f245e335a632b
Instruction Fuzzy Hash: 0FF0193840620CEFDB126F65ED187643B61BB12326F089314F92DA51F1D7308995FF60

Function 00EA0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00EA10F9
__freea.LIBCMT ref: 00EA1117

Part of subcall function 00EA1537: _free.LIBCMT ref: 00EA154F

Strings

am/pm, xrefs: 00EA117A
a/p, xrefs: 00EA11DE

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 0bbf34c190939de5888a6815691521a6a899afaed1a5ae2742eb67d5e7eebef1
Instruction ID: d93509f2953d7fb4f37c66ab548f035f5cd31c3a7b281571104f7e877512e5ae
Opcode Fuzzy Hash: 0bbf34c190939de5888a6815691521a6a899afaed1a5ae2742eb67d5e7eebef1
Instruction Fuzzy Hash: 1DD1F1359002069ACF249F68C895BFAB7B1EF0F314F292199E501BF650D375BD84CBA1

Function 00EA8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00EA8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00EA8B7A
__dosmaperr.LIBCMT ref: 00EA8B81

Strings

., xrefs: 00EA8A63

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-3963672497
Opcode ID: b8099c4df856df69fab8aa87aab364504801142a6ebb4f41cea5ecd56b7eeb22
Instruction ID: 6c86f4ef418e08825f50cf54c42adb80d167c144ddb5a9114754ae080edad479
Opcode Fuzzy Hash: b8099c4df856df69fab8aa87aab364504801142a6ebb4f41cea5ecd56b7eeb22
Instruction Fuzzy Hash: AE418074604045AFCB249F14C980ABD7FE5DF8F314B285169F885AF152DD31EC0297A0

Function 00ED2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EDB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00ED21D0,?,?,00000034,00000800,?,00000034), ref: 00EDB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00ED2760

Part of subcall function 00EDB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00ED21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00EDB3F8

Part of subcall function 00EDB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00EDB355
Part of subcall function 00EDB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00ED2194,00000034,?,?,00001004,00000000,00000000), ref: 00EDB365
Part of subcall function 00EDB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00ED2194,00000034,?,?,00001004,00000000,00000000), ref: 00EDB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00ED27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00ED281A

Strings

@, xrefs: 00ED2832

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 6eba84a72e0e493124e49f6c824ef56cc13c4b720bbaf2df525d14668de8521a
Instruction ID: f3397a705a9d96e3d172b7307bc948e11eafe58af13eed2076be21ce6f98df05
Opcode Fuzzy Hash: 6eba84a72e0e493124e49f6c824ef56cc13c4b720bbaf2df525d14668de8521a
Instruction Fuzzy Hash: BD413D76900218AFDB10DFA4CD45ADEBBB8EF09300F00509AFA55B7281DB716E46DBA0

Function 00EA172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Arrival Notice.exe,00000104), ref: 00EA1769
_free.LIBCMT ref: 00EA1834
_free.LIBCMT ref: 00EA183E

Strings

C:\Users\user\Desktop\Arrival Notice.exe, xrefs: 00EA1760, 00EA1767, 00EA1796, 00EA17CE

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Arrival Notice.exe
API String ID: 2506810119-2828020761
Opcode ID: 1303b30ad68ec1e092d233602384c1fba6454bd9ff38ee691e1c9245d969d4a6
Instruction ID: 20ad3fde599a8b3d14adea77bc87885ba717c2feb48fcd2fc440e91e778facdd
Opcode Fuzzy Hash: 1303b30ad68ec1e092d233602384c1fba6454bd9ff38ee691e1c9245d969d4a6
Instruction Fuzzy Hash: 0F318475A04218AFDB25DB99D881D9EBBFCEB9B310F1051AAF904EB211D6706E40DB90

Function 00EDC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EDC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00EDC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F41990,018E5708), ref: 00EDC395

Strings

0, xrefs: 00EDC2DF

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 34471a85a4bc5765ad948f3edd6b1b7441322b61974416465724c6ed7b519844
Instruction ID: 6c84efdc3e67a107c338ab1b1cfc956578b3b128de26d0561fc6fee6c222c816
Opcode Fuzzy Hash: 34471a85a4bc5765ad948f3edd6b1b7441322b61974416465724c6ed7b519844
Instruction Fuzzy Hash: 9341D431204342AFDB20DF28D884B6ABBE4EF85354F24966EF965A73D1D730E805CB52

Function 00F04416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F0CC08,00000000,?,?,?,?), ref: 00F044AA
GetWindowLongW.USER32 ref: 00F044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F044D7

Strings

SysTreeView32, xrefs: 00F0447C

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 636b2f4420e8271eb3d22a5e8e8d38340ea7a81c1ecc314fd0548aea67a3c794
Instruction ID: 529c376c1ae7fc10588b8559b84f167111d08d02e6773c6b377d534dddb21ece
Opcode Fuzzy Hash: 636b2f4420e8271eb3d22a5e8e8d38340ea7a81c1ecc314fd0548aea67a3c794
Instruction Fuzzy Hash: 12319C76610209ABDB219F38DC45BEA77A9EB08334F244315FA79A21D0D770EC50BB50

Function 00ED6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00ED6EED
VariantCopyInd.OLEAUT32(?,?), ref: 00ED6F08
VariantClear.OLEAUT32(?), ref: 00ED6F12

Strings

*j, xrefs: 00ED6E8B, 00ED6E90, 00ED6EF8

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j
API String ID: 2173805711-1845181700
Opcode ID: dbcc0484afb917a108cf3826567ec45d75b2703961a3bb1b323f7be9b61e2d44
Instruction ID: 8fbddc235a1459fea753e98d7abcd91974dd27dfe444c64aca865ac973b19d8d
Opcode Fuzzy Hash: dbcc0484afb917a108cf3826567ec45d75b2703961a3bb1b323f7be9b61e2d44
Instruction Fuzzy Hash: 98317EB1704645DBCB05AFA4E8919BE37B6FF85304B10549AF9066F3A1C7349912DBD0

Function 00EF304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00EF3077,?,?), ref: 00EF3378

inet_addr.WSOCK32(?), ref: 00EF307A
_wcslen.LIBCMT ref: 00EF309B
htons.WSOCK32(00000000), ref: 00EF3106

Strings

255.255.255.255, xrefs: 00EF3095, 00EF309A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ed3b0f5211c01f9e90da34b26d8d0d57a38040ab2e69874ebe2a19a2982cd825
Instruction ID: 293e0308c2147ac54e17a35db67f7eb132d3c4fee7a59dacc750f9b8af6df2fd
Opcode Fuzzy Hash: ed3b0f5211c01f9e90da34b26d8d0d57a38040ab2e69874ebe2a19a2982cd825
Instruction Fuzzy Hash: DA31D5356002099FCB20CF38C485EBA77E0EF54318F24D15AEA15AB392DB72DE45C761

Function 00F03EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F03F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F03F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F03F78

Strings

SysMonthCal32, xrefs: 00F03F0B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 39417660a4f0e0cbf3ed02d4a9d413c64893405dedf13094bda2938b8b81a625
Instruction ID: 7bd211aac6b6a04aaedb80a6aa07ae9022dc4fba3c0ed4c61e49e9e3d2f49fee
Opcode Fuzzy Hash: 39417660a4f0e0cbf3ed02d4a9d413c64893405dedf13094bda2938b8b81a625
Instruction Fuzzy Hash: D6219F32A00219BBDF259F50DC46FEA3B79EF48724F110214FE196B1D0DAB5A991EB90

Function 00F04653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F04705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F04713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F0471A

Strings

msctls_updown32, xrefs: 00F04684

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 901fefad1d9b5783bf0ec89ab43e86f9af1fc4eaf60b0b531cc9e536dc97dbe6
Instruction ID: 91f2de19922ac81a1ec6d67f89212fa0faeb1a45a9194cdfdd7da138a70cb970
Opcode Fuzzy Hash: 901fefad1d9b5783bf0ec89ab43e86f9af1fc4eaf60b0b531cc9e536dc97dbe6
Instruction Fuzzy Hash: 66215EF5600208AFEB10DF68DC91DA737EDEF5A3A4B040459FA049B2A1DB31FC51EA60

Function 00ED95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ED961D

Strings

#notrayicon, xrefs: 00ED95B7
#requireadmin, xrefs: 00ED95D9
#OnAutoItStartRegister, xrefs: 00ED95F3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 7e21399b4911e754584c7328d0074d53bff52f491d7195f6922e1b81d2e7a995
Instruction ID: dd24fae2b8a6c0d7db4d3fa01afddedcea1b0937351186a898a11954d3c2340f
Opcode Fuzzy Hash: 7e21399b4911e754584c7328d0074d53bff52f491d7195f6922e1b81d2e7a995
Instruction Fuzzy Hash: 2B2123B220421166C731BA24AC02FAB73D8DF91314F106027F959B7282EB55ED97D3A5

Function 00F037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F03840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F03850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F03876

Strings

Listbox, xrefs: 00F0380F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f99aba6ce406e0315fe36b0b472a7292a6d553d2d3ed4776fd9ee37438aff5d3
Instruction ID: 11455164c3dcc35ad582e3a7b9b070a69cc24ad6d6f3b65061b033664734d999
Opcode Fuzzy Hash: f99aba6ce406e0315fe36b0b472a7292a6d553d2d3ed4776fd9ee37438aff5d3
Instruction Fuzzy Hash: CD21BE72A10218BBEF218F54CC81FAB37AEEF89760F108124F9449B1D0CA71DC52A7A0

Function 00EE49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EE4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EE4A5C
SetErrorMode.KERNEL32(00000000,?,?,00F0CC08), ref: 00EE4AD0

Strings

%lu, xrefs: 00EE4A6F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: dbec877bf27f72b105bfd5bccfd5aef3a565323c274c0026a3a92975f2f41be9
Instruction ID: cce74a4e6a169ae61fa230933a22bc5121cc46d2dda7c6213923fe5b5df294a3
Opcode Fuzzy Hash: dbec877bf27f72b105bfd5bccfd5aef3a565323c274c0026a3a92975f2f41be9
Instruction Fuzzy Hash: EA316275A00109AFDB10DF54C885EAABBF8EF08318F1480A5F909EB392D771ED45DBA1

Function 00F041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F0424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F04264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F04271

Strings

msctls_trackbar32, xrefs: 00F04226

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b99a9428e1e6bb6a04e6ab2cac0656197dec3972e637474918eb5e66baa591c0
Instruction ID: 1f4e31d2a10f6d68ef1f466fa140c936e2ea9dc36f6007af98e6bf851b93c35b
Opcode Fuzzy Hash: b99a9428e1e6bb6a04e6ab2cac0656197dec3972e637474918eb5e66baa591c0
Instruction Fuzzy Hash: F511E371740208BEEF205F28CC06FAB3BACEF95B64F010114FA55E20D0D671E861BB10

Function 00ED2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E76B57: _wcslen.LIBCMT ref: 00E76B6A

Part of subcall function 00ED2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00ED2DC5
Part of subcall function 00ED2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ED2DD6
Part of subcall function 00ED2DA7: GetCurrentThreadId.KERNEL32 ref: 00ED2DDD
Part of subcall function 00ED2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00ED2DE4

GetFocus.USER32 ref: 00ED2F78

Part of subcall function 00ED2DEE: GetParent.USER32(00000000), ref: 00ED2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00ED2FC3
EnumChildWindows.USER32(?,00ED303B), ref: 00ED2FEB

Strings

%s%d, xrefs: 00ED2FFF

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: cec6658ad2df7cbf399c67e4cca3b46f1d03def780a2aa27a825a5a91083fe0a
Instruction ID: a0de2477bfa82eb4f46c6ba6faf593e1a59c5307fc361005dea3e07f9e0268de
Opcode Fuzzy Hash: cec6658ad2df7cbf399c67e4cca3b46f1d03def780a2aa27a825a5a91083fe0a
Instruction Fuzzy Hash: C311EB712002056BCF107F708C85EED37AAEF94308F049076F90DB7292DE31990A9B61

Function 00F05882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F058EE
DrawMenuBar.USER32(?), ref: 00F058FD

Strings

0, xrefs: 00F0588F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: b97cd9d3f2f8a4dea6bad9d3419eb7a16c4c09863c6df4c882e9444e2a5c5225
Instruction ID: a61377c966f4415269e181a38d2e6a165daa1a8fa6c96f96ca47006379f5c603
Opcode Fuzzy Hash: b97cd9d3f2f8a4dea6bad9d3419eb7a16c4c09863c6df4c882e9444e2a5c5225
Instruction Fuzzy Hash: 72018C36900218EFDB219F11DC44BAFBBB4FF45761F1480A9E849E6191DBB08A94FF61

Function 00ECD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00ECD3BF
FreeLibrary.KERNEL32 ref: 00ECD3E5

Strings

X64, xrefs: 00ECD2A8
GetSystemWow64DirectoryW, xrefs: 00ECD3B9

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 51e44b0f640af6dc5e4db1f4e981fdeca894bdcfd0108a410797c91a271d106e
Instruction ID: 39f47c6f473d722af6b54d575d7c77479ba9154e1700a6308b89ce2444391ddd
Opcode Fuzzy Hash: 51e44b0f640af6dc5e4db1f4e981fdeca894bdcfd0108a410797c91a271d106e
Instruction Fuzzy Hash: 0EF0557280D6209BC73923104E24FAA7310EF10715F65763DE80AF20A5D723CC42A2C2

Function 00ED007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec84f25905952c6ac398381b5be0965d2dec01c600e0f5607d5f3389cfc05b6
Instruction ID: 04b7b1fdd73167a358e2235744a4354ae1688b43e450acb636d9e3bdf194b09e
Opcode Fuzzy Hash: dec84f25905952c6ac398381b5be0965d2dec01c600e0f5607d5f3389cfc05b6
Instruction Fuzzy Hash: 99C13875A0020AEFDB14CFA4C894BAEB7B5FF48704F249599E505EB251D731EE42CB90

Function 00EF342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EF3459
CoUninitialize.OLE32 ref: 00EF3463
VariantInit.OLEAUT32(?), ref: 00EF346E
VariantClear.OLEAUT32(?), ref: 00EF371B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 010da137f43793e8967f43ac04780b13bcaf5cae3577b26c1b04a12cc6c5e0b3
Instruction ID: ef0fb3c863599506065e2f061b7aeed18ebcbb751809af431820b5b4df30e135
Opcode Fuzzy Hash: 010da137f43793e8967f43ac04780b13bcaf5cae3577b26c1b04a12cc6c5e0b3
Instruction Fuzzy Hash: 4AA13A756043049FC710EF28C485A2AB7E5FF88714F15995DFA8AAB362DB30EE05CB91

Function 00ED0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F0FC08,?), ref: 00ED05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F0FC08,?), ref: 00ED0608
CLSIDFromProgID.OLE32(?,?,00000000,00F0CC40,000000FF,?,00000000,00000800,00000000,?,00F0FC08,?), ref: 00ED062D
_memcmp.LIBVCRUNTIME ref: 00ED064E

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8cc927415f94169184a6aeb798fee156deed2f10ab85fc53f4eb90570b2fc4cc
Instruction ID: 21973b1863f560b134e3f9f2bebe0b81c84cf240da648883b937789c5cf46913
Opcode Fuzzy Hash: 8cc927415f94169184a6aeb798fee156deed2f10ab85fc53f4eb90570b2fc4cc
Instruction Fuzzy Hash: 49811C71A00109EFCB04DF94C984EEEB7B9FF89315F244599E516BB250DB71AE06CBA0

Function 00EB1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EB14C0

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a683e7c5c22771f1283e68dcb824c58b201f66b3c4d87bf71be39958e8c82a80
Instruction ID: 1193374f1a65e87aa7e1a1b1c4b512e105b5d436b136d038229d6b14e8b75c11
Opcode Fuzzy Hash: a683e7c5c22771f1283e68dcb824c58b201f66b3c4d87bf71be39958e8c82a80
Instruction Fuzzy Hash: 93416C31600200ABDF216BBD8C567FF3AE5EF46374F6422A5F438F61A2E63449415262

Function 00F06278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(018EE960,?), ref: 00F062E2
ScreenToClient.USER32(?,?), ref: 00F06315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00F06382

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 1ce37f813f128a1e9790b80b95e3f9b21f8852395b066ba5f07dc74516671c67
Instruction ID: 0f2e70fd26f266141ef41d4086cda5cc4af9e46f6678a1ca0ee0619152511ecf
Opcode Fuzzy Hash: 1ce37f813f128a1e9790b80b95e3f9b21f8852395b066ba5f07dc74516671c67
Instruction Fuzzy Hash: 4F510B75A00209EFDF20DF54D881AAE7BB6FB55360F108269F915D72D0D730AD91EB90

Function 00EF1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00EF1AFD
WSAGetLastError.WSOCK32 ref: 00EF1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EF1B8A
WSAGetLastError.WSOCK32 ref: 00EF1B94

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 4f76d79390e7506cb67ee542434248cd82621797a092bc5453581aca643f89ee
Instruction ID: 09db431d85af660e12740787e5b85b619eba17c7030272bd96df5272dded9f8b
Opcode Fuzzy Hash: 4f76d79390e7506cb67ee542434248cd82621797a092bc5453581aca643f89ee
Instruction Fuzzy Hash: 62417C34640204EFE720AF24C886F2A77E5AB44718F54D598FA5AAF2D3D672ED418B90

Function 00EAB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472fd193774f32efef5a8c10d9c224d8bae0bd08b669f3a7c3114b8596993356
Instruction ID: 5ecdfd7d00181ab5999e07b26284b90521c5fdbee946a0ee97797cb7a8584b8d
Opcode Fuzzy Hash: 472fd193774f32efef5a8c10d9c224d8bae0bd08b669f3a7c3114b8596993356
Instruction Fuzzy Hash: D141E271A00304AFD7249F78C841BAABBE9EB8D720F10566EF551EF292E771B9018780

Function 00EE56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EE5783
GetLastError.KERNEL32(?,00000000), ref: 00EE57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EE57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EE57FA

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1c48708f9b95c6edc3c047a644336da2f306e5b68f11ea1b14c398b1020bd502
Instruction ID: 23e8561122ffa2920b87583efab9ca08cf2ca38d41d7e6f7535159e99d5980db
Opcode Fuzzy Hash: 1c48708f9b95c6edc3c047a644336da2f306e5b68f11ea1b14c398b1020bd502
Instruction Fuzzy Hash: AD413B3A600654DFCB15EF15C544A5EBBE6EF89724B18D499E84AAB362CB30FD00CB91

Function 00EAD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E982D9,?,00E982D9,?,00000001,?,?,00000001,00E982D9,00E982D9), ref: 00EAD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EAD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00EAD9AB
__freea.LIBCMT ref: 00EAD9B4

Part of subcall function 00EA3820: RtlAllocateHeap.NTDLL(00000000,?,00F41444,?,00E8FDF5,?,?,00E7A976,00000010,00F41440,00E713FC,?,00E713C6,?,00E71129), ref: 00EA3852

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: e349ab3908f4633f45f91c8f6a9c9f3ffb5a4de5aa5fb8e912ae87d314fd284d
Instruction ID: 14ad1c5693f348feda3bcf2e44743b27cd6af98f8342d5e048ddbd90bc7c1d5c
Opcode Fuzzy Hash: e349ab3908f4633f45f91c8f6a9c9f3ffb5a4de5aa5fb8e912ae87d314fd284d
Instruction Fuzzy Hash: 2731C072A0020AABDF24DF64DC45EEF7BA5EB85314B050168FC05EA150E775ED54CB90

Function 00F052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00F05352
GetWindowLongW.USER32(?,000000F0), ref: 00F05375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F05382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F053A8

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 4c0cf7980782a25ae9a29e6647cda6aae40ede1ac24fb4b11a81f918b1405c8c
Instruction ID: 9696f6a7b51040927f66746424fa9a44efdd486a2894673c7d8712a19cd81935
Opcode Fuzzy Hash: 4c0cf7980782a25ae9a29e6647cda6aae40ede1ac24fb4b11a81f918b1405c8c
Instruction Fuzzy Hash: 7331B235E55A0CAFEB309B54CC06BEA7767AB05BA0F984101FA14961E1C7F1A980BF41

Function 00EDAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00EDABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00EDAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00EDAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00EDACC6

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: cf546645f88da047c56d45360de0a88d9991ed6f6f49e635db04fea72aa504a5
Instruction ID: 1d081a5bb9118a39930c0b732aa946fcccbe1fb3e21b4e76b05f7e9d3dc459d8
Opcode Fuzzy Hash: cf546645f88da047c56d45360de0a88d9991ed6f6f49e635db04fea72aa504a5
Instruction Fuzzy Hash: FA31FA30A606186FEB35CB658C047FAB7A5EB85324F0C632BE485663D1C3758A469792

Function 00F07674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F0769A
GetWindowRect.USER32(?,?), ref: 00F07710
PtInRect.USER32(?,?,00F08B89), ref: 00F07720
MessageBeep.USER32(00000000), ref: 00F0778C

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 953f4c7488601554a5bef3ada6f1187456ec4b26a5d8a697ba361eeabf3bb68d
Instruction ID: 30285c73bae319fd352b732ab7a65641046aaba9970f667b012606366ffabd6e
Opcode Fuzzy Hash: 953f4c7488601554a5bef3ada6f1187456ec4b26a5d8a697ba361eeabf3bb68d
Instruction Fuzzy Hash: 51418D38E05318DFDB11EF58C894EA9BBF4BB49350F1841E8E8149B2A1C371B981FB90

Function 00F016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F016EB

Part of subcall function 00ED3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ED3A57
Part of subcall function 00ED3A3D: GetCurrentThreadId.KERNEL32 ref: 00ED3A5E
Part of subcall function 00ED3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00ED25B3), ref: 00ED3A65

GetCaretPos.USER32(?), ref: 00F016FF
ClientToScreen.USER32(00000000,?), ref: 00F0174C
GetForegroundWindow.USER32 ref: 00F01752

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 158413c8b1ee64238b71d786f5522a9ac17668f7c20e9e52883be6d02a3a5860
Instruction ID: 3f97965f5e5218fe51957bd90e030e96e2931e9fa0055c0450868d3f3c0f385c
Opcode Fuzzy Hash: 158413c8b1ee64238b71d786f5522a9ac17668f7c20e9e52883be6d02a3a5860
Instruction Fuzzy Hash: 92315075E00149AFC704EFA9C881CAEBBFDFF48304B5490AAE415E7251E7319E45DBA0

Function 00EDD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EDD501
Process32FirstW.KERNEL32(00000000,?), ref: 00EDD50F
Process32NextW.KERNEL32(00000000,?), ref: 00EDD52F
CloseHandle.KERNEL32(00000000), ref: 00EDD5DC

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f9c6eeabdaee75f1f8d769975bdcc08066255f89e7c9c881127b7e865704f247
Instruction ID: e79b600afd0204d2867a7c0acad83c7a89001b53fcbe9f105375bcf88adbc8e9
Opcode Fuzzy Hash: f9c6eeabdaee75f1f8d769975bdcc08066255f89e7c9c881127b7e865704f247
Instruction Fuzzy Hash: CB31AF311083009FD304EF64DC81AAFBBF8EFD9354F14592DF585A62A2EB719945CB92

Function 00F08FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E89BB2

GetCursorPos.USER32(?), ref: 00F09001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00EC7711,?,?,?,?,?), ref: 00F09016
GetCursorPos.USER32(?), ref: 00F0905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00EC7711,?,?,?), ref: 00F09094

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 77a484af4774877274c7d17cb58cf960b667f6943795a25107427e39f24ef481
Instruction ID: 4f6cb6a4750906f4d41f4fdabf1ce070aebb156506a1b075617778e97ea9c8b0
Opcode Fuzzy Hash: 77a484af4774877274c7d17cb58cf960b667f6943795a25107427e39f24ef481
Instruction Fuzzy Hash: 51219F35A00018EFDB258FA4CC58EFB7BB9FB8A360F044155F9455B2A2D3719990FBA0

Function 00EDD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F0CB68), ref: 00EDD2FB
GetLastError.KERNEL32 ref: 00EDD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EDD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F0CB68), ref: 00EDD376

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c65fe2de2e2623f1f41868e502af935eb0bcb192b6afcc69181646f12af317a8
Instruction ID: 84928d30814b7affb487a1fdd3bc9529c282d1120196f9946386e36abdba5525
Opcode Fuzzy Hash: c65fe2de2e2623f1f41868e502af935eb0bcb192b6afcc69181646f12af317a8
Instruction Fuzzy Hash: 60215C705092019FC710DF28C8818AA77E4EF56368F105A1AF499E73A1D731D946DB93

Function 00ED1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00ED102A
Part of subcall function 00ED1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00ED1036
Part of subcall function 00ED1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED1045
Part of subcall function 00ED1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED104C
Part of subcall function 00ED1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00ED15BE
_memcmp.LIBVCRUNTIME ref: 00ED15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00ED1617
HeapFree.KERNEL32(00000000), ref: 00ED161E

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 8d30c73d98832db6ce2f7cf1c63888cf017d23bbcfb8d87174d4f374794d5133
Instruction ID: bde31e8d4ace86a73f8d92d19e82ece4e443098769c59f02e5493ea05783bcdb
Opcode Fuzzy Hash: 8d30c73d98832db6ce2f7cf1c63888cf017d23bbcfb8d87174d4f374794d5133
Instruction Fuzzy Hash: E0216971E00109BFDB10DFA4C945BEEB7B8EF44348F08559AE451BB281E734AA46DBA0

Function 00F02782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00F0280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F02824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F02832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00F02840

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 6b65f673003fc0cb47ba7dcafa1ed5e9c755e0c6a824153087ded80d521f0a1d
Instruction ID: 020b5895b43b29328ec19be77d893be604bb5bb1d717362804eef256b48647b7
Opcode Fuzzy Hash: 6b65f673003fc0cb47ba7dcafa1ed5e9c755e0c6a824153087ded80d521f0a1d
Instruction Fuzzy Hash: A921F435704110AFD7549B24CC48F6A7799AF45324F248259F4168B6D2CB75FC42E7E0

Function 00ED78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00ED790A,?,000000FF,?,00ED8754,00000000,?,0000001C,?,?), ref: 00ED8D8C
Part of subcall function 00ED8D7D: lstrcpyW.KERNEL32(00000000,?,?,00ED790A,?,000000FF,?,00ED8754,00000000,?,0000001C,?,?,00000000), ref: 00ED8DB2
Part of subcall function 00ED8D7D: lstrcmpiW.KERNEL32(00000000,?,00ED790A,?,000000FF,?,00ED8754,00000000,?,0000001C,?,?), ref: 00ED8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00ED8754,00000000,?,0000001C,?,?,00000000), ref: 00ED7923
lstrcpyW.KERNEL32(00000000,?,?,00ED8754,00000000,?,0000001C,?,?,00000000), ref: 00ED7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00ED8754,00000000,?,0000001C,?,?,00000000), ref: 00ED7984

Strings

cdecl, xrefs: 00ED797B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 06608564c9a90cf2ad912cb9fa02deb4c3cd3d116dbc3039b9393ca6557f0f83
Instruction ID: acf8472d1cd359854f550c55c363070665dbd4f7654ad4b2d61ef64b2d337737
Opcode Fuzzy Hash: 06608564c9a90cf2ad912cb9fa02deb4c3cd3d116dbc3039b9393ca6557f0f83
Instruction Fuzzy Hash: 8411E13A200202ABCB15AF34C855D7A77E9FF89354B00602BE886D73A4FB319812D7A1

Function 00F07CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00F07D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00F07D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F07D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EEB7AD,00000000), ref: 00F07D6B

Part of subcall function 00E89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E89BB2

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 3b756baaf983c450c5bcd8e94b53d6b364af6adffa79e3cab2b24db47e323a99
Instruction ID: 3e293735f83b898a2f65a5ac995649f6056b2c1037da0b1da94a726351963132
Opcode Fuzzy Hash: 3b756baaf983c450c5bcd8e94b53d6b364af6adffa79e3cab2b24db47e323a99
Instruction Fuzzy Hash: 7A119335A05619AFDB20AF28CC04A763BA5BF45370B154764F839D71F0E731A950FB90

Function 00F05660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00F056BB
_wcslen.LIBCMT ref: 00F056CD
_wcslen.LIBCMT ref: 00F056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F05816

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 9f3c38ffe4c03c0407598f08ac704e87571242ec8d90e17f38ba54a9af888a94
Instruction ID: 411bc607f45148e6f05c656415e56d2cecf2dd79c95273ecf7e023a4eaf408d4
Opcode Fuzzy Hash: 9f3c38ffe4c03c0407598f08ac704e87571242ec8d90e17f38ba54a9af888a94
Instruction Fuzzy Hash: 4B11AF76A00609A6DF20DB61CC85AEF77ACEF11B60B504126FD15960C1EBB0CA81FF60

Function 00EA1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d364725000ca7477ae611e8814ba76bc5679927281c6bdf534f0cbaf762d03
Instruction ID: a3ba2013cc604765c892c501175dbd708c41de5088f2889abbe5cdde46a651a4
Opcode Fuzzy Hash: 75d364725000ca7477ae611e8814ba76bc5679927281c6bdf534f0cbaf762d03
Instruction Fuzzy Hash: E601A2B220961A3EF61116786CC0F67665CEF8B7B9F302369F621791D2DB60AC005160

Function 00ED1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00ED1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ED1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ED1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ED1A8A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fa1e253370953280cf76f5287917c31de2a8ae84f1c018e03f166996ca5f5773
Instruction ID: a211d995139754f29467b6225745ec9ce24ae76293a0fb883a9a4948201eec58
Opcode Fuzzy Hash: fa1e253370953280cf76f5287917c31de2a8ae84f1c018e03f166996ca5f5773
Instruction Fuzzy Hash: 5A11093AD01219FFEB11DBA5CD85FADBB78FB08754F200092EA04B7290D6716E51DB94

Function 00EDE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EDE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00EDE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EDE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EDE24D

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 6cb9ce2f69c2f6a3728ba3ce08f76cf875a567ca9c627a6bb19b438c405a106f
Instruction ID: 4f416ae7a183b7b809df441a8ef03a61566bd5ad9415070f825914e60944e6ac
Opcode Fuzzy Hash: 6cb9ce2f69c2f6a3728ba3ce08f76cf875a567ca9c627a6bb19b438c405a106f
Instruction Fuzzy Hash: EA11DB7690425CBBD701AFA89C09AAF7FACFB45314F14435AF924E7391D670DD0497A0

Function 00E9D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00E9CFF9,00000000,00000004,00000000), ref: 00E9D218
GetLastError.KERNEL32 ref: 00E9D224
__dosmaperr.LIBCMT ref: 00E9D22B
ResumeThread.KERNEL32(00000000), ref: 00E9D249

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 78254b07294eaab3e85397ed4b7bc34f839c7da1a05b90428ffb76b73dc98824
Instruction ID: caf8e546ba3717966cab9dea80b797edcc200a7f3aa16afa80f8455974dbbfc7
Opcode Fuzzy Hash: 78254b07294eaab3e85397ed4b7bc34f839c7da1a05b90428ffb76b73dc98824
Instruction Fuzzy Hash: C301F936809228BBCF115BA5DC05BAF7AADEF81730F201319F925B61E0CB70C941D6A0

Function 00F09EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00E89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E89BB2

GetClientRect.USER32(?,?), ref: 00F09F31
GetCursorPos.USER32(?), ref: 00F09F3B
ScreenToClient.USER32(?,?), ref: 00F09F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00F09F7A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 89baa520687cc0e709a39380eae9f1339370d1d76bc798da5241fa8ad26f840d
Instruction ID: 6f543418b725748d03611e7e3534a6af22b1eac4620368f42b93557e888e2619
Opcode Fuzzy Hash: 89baa520687cc0e709a39380eae9f1339370d1d76bc798da5241fa8ad26f840d
Instruction Fuzzy Hash: 1E11483690411AABDB10EF68DC899FE77B8FB05312F000551F911E3182E774BA81EBA1

Function 00E7600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E7604C
GetStockObject.GDI32(00000011), ref: 00E76060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E7606A

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 705873bc28ac39b5dffa7c605f28d76d325cf777705e6c96b3fc22d07b0ff793
Instruction ID: 5c928f2784ff3cd4c0c4ad90a30094ab90d5b959abea25a8662a2c944a004dda
Opcode Fuzzy Hash: 705873bc28ac39b5dffa7c605f28d76d325cf777705e6c96b3fc22d07b0ff793
Instruction Fuzzy Hash: 88115B72501909BFEF224FA49C44AEABB69FF193A8F045215FA1866150D732DC60ABA0

Function 00E93B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00E93B56

Part of subcall function 00E93AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00E93AD2
Part of subcall function 00E93AA3: ___AdjustPointer.LIBCMT ref: 00E93AED

_UnwindNestedFrames.LIBCMT ref: 00E93B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00E93B7C
CallCatchBlock.LIBVCRUNTIME ref: 00E93BA4

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 81064c38b903973db14ce2a33e96fb9a991329b6f1e4a8484fa2165e117ee384
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2E012D72100148BBDF115EA5CC42DEB7BA9EF48758F045014FE4866121D732D961EBA0

Function 00EA3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E713C6,00000000,00000000,?,00EA301A,00E713C6,00000000,00000000,00000000,?,00EA328B,00000006,FlsSetValue), ref: 00EA30A5
GetLastError.KERNEL32(?,00EA301A,00E713C6,00000000,00000000,00000000,?,00EA328B,00000006,FlsSetValue,00F12290,FlsSetValue,00000000,00000364,?,00EA2E46), ref: 00EA30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00EA301A,00E713C6,00000000,00000000,00000000,?,00EA328B,00000006,FlsSetValue,00F12290,FlsSetValue,00000000), ref: 00EA30BF

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d45e837adda2c15b7ee6cec0f54ae1378428fcfb2d8cb96d0be0f1b435a9f3ee
Instruction ID: d75d0b7a16030585b2d0cd61a1fe88c48b44e92ed185cfa23560beb54e039689
Opcode Fuzzy Hash: d45e837adda2c15b7ee6cec0f54ae1378428fcfb2d8cb96d0be0f1b435a9f3ee
Instruction Fuzzy Hash: BB01A736711226ABCB314B799CC49977B98AF4BBA5B215720F905FB180D721E901C6E0

Function 00ED7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00ED747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00ED7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00ED74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00ED74CA

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c272d2edb826bc2622369173ad92ad6eb5d1b260503304f610de2920e29cba93
Instruction ID: 6893d0265ee781cd39b55bc799ecd619fd845ebbcdeff389c3f9408c829cd792
Opcode Fuzzy Hash: c272d2edb826bc2622369173ad92ad6eb5d1b260503304f610de2920e29cba93
Instruction Fuzzy Hash: 2D11A1B52053149BE721CF14DD08B96BFFCFB00B04F10856AA6A6E6291E770E905DB90

Function 00EDB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EDACD3,?,00008000), ref: 00EDB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EDACD3,?,00008000), ref: 00EDB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EDACD3,?,00008000), ref: 00EDB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EDACD3,?,00008000), ref: 00EDB126

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 241c4bd93c7c8bb459533375f3fae9818346acc75920dcb3607b2f668f130dec
Instruction ID: ccc7d0258384959bc6d8a27fbb6ed00364b59142fffced2b867193abd215e4bd
Opcode Fuzzy Hash: 241c4bd93c7c8bb459533375f3fae9818346acc75920dcb3607b2f668f130dec
Instruction Fuzzy Hash: FD11C030C0162CE7CF00AFE4EA696EEBF78FF09310F125186D941B2281DB308652DB91

Function 00ED2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00ED2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ED2DD6
GetCurrentThreadId.KERNEL32 ref: 00ED2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00ED2DE4

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 45769f80327856593b09c8a92528997f16f486fef5386ba6cac8ab2dd04e704c
Instruction ID: 03df8e87c1778655f6ef2c709525ea434d405a4ed09fdcf10b63ef5b54168105
Opcode Fuzzy Hash: 45769f80327856593b09c8a92528997f16f486fef5386ba6cac8ab2dd04e704c
Instruction Fuzzy Hash: 59E092711012287BD7301B739C0DFEB3E6DFF56BA1F00121AF209E11809AA1C841D6F0

Function 00F08863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E89693
Part of subcall function 00E89639: SelectObject.GDI32(?,00000000), ref: 00E896A2
Part of subcall function 00E89639: BeginPath.GDI32(?), ref: 00E896B9
Part of subcall function 00E89639: SelectObject.GDI32(?,00000000), ref: 00E896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00F08887
LineTo.GDI32(?,?,?), ref: 00F08894
EndPath.GDI32(?), ref: 00F088A4
StrokePath.GDI32(?), ref: 00F088B2

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 240e562c703ca300f72d5ccf7a993b76b515f1068f9148604507e30218e0b8df
Instruction ID: c27a7eae9d44344e4b9d6a279444803f8e822d5ad63a39256889f3a01efc71e4
Opcode Fuzzy Hash: 240e562c703ca300f72d5ccf7a993b76b515f1068f9148604507e30218e0b8df
Instruction Fuzzy Hash: 90F03A36041258FAEB126F94AC09FCA3E59BF16310F448100FA11A51E2C7755551FBE5

Function 00E898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E898CC
SetTextColor.GDI32(?,?), ref: 00E898D6
SetBkMode.GDI32(?,00000001), ref: 00E898E9
GetStockObject.GDI32(00000005), ref: 00E898F1

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 196cb8230cfad8fa71299ff91d132dea6aa50dbd5f773d34c0478283d54916cd
Instruction ID: aae4928419d03e405a534e0bef18508cfa30327dbaae179743cad16fb0ab612d
Opcode Fuzzy Hash: 196cb8230cfad8fa71299ff91d132dea6aa50dbd5f773d34c0478283d54916cd
Instruction Fuzzy Hash: 01E06531244244AEDB215B74AC09BE83F10BB11736F048319F6F9540E1C3724651AF50

Function 00ED162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00ED1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00ED11D9), ref: 00ED163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00ED11D9), ref: 00ED1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00ED11D9), ref: 00ED164F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 2949273ac9ee73f146a41bef60f1a6f7cd44ca0186c15a0110a6c0405aa36b5a
Instruction ID: 0ad915c9f69aca4f1ce153e6d4d08b6cb61ceda57249fe2157ded208855ca665
Opcode Fuzzy Hash: 2949273ac9ee73f146a41bef60f1a6f7cd44ca0186c15a0110a6c0405aa36b5a
Instruction Fuzzy Hash: 0EE08C32602215EBEB201FA0AE0DB863B7CFF44796F148949F285D9080E6348441DBA0

Function 00ECD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00ECD858
GetDC.USER32(00000000), ref: 00ECD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ECD882
ReleaseDC.USER32(?), ref: 00ECD8A3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 741ecb67c2db153313bd12de286675eef941ceff01ac69da9ab82be142b2bef0
Instruction ID: c133e8d0f2adad10b29e559eb2c98c724dbd8ec0117beef68e023699279ba8e0
Opcode Fuzzy Hash: 741ecb67c2db153313bd12de286675eef941ceff01ac69da9ab82be142b2bef0
Instruction Fuzzy Hash: C3E01AB1804208DFCF51AFA0D908A6DBBF6FB08310F249119F84AE7250CB3A8901AF90

Function 00ECD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00ECD86C
GetDC.USER32(00000000), ref: 00ECD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ECD882
ReleaseDC.USER32(?), ref: 00ECD8A3

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 80d340a3a7291c7a7d84338ad0da0d80f8a409527290e1896b8e53f2b534ec35
Instruction ID: 92fb1eba2c2d7d21bd4c6f642fde98e61260e97af32e37d168a3a3eb50f46555
Opcode Fuzzy Hash: 80d340a3a7291c7a7d84338ad0da0d80f8a409527290e1896b8e53f2b534ec35
Instruction Fuzzy Hash: 2DE092B5904208EFCF61AFA0D90866DBBF6BB08311F249549E94EE7290CB395901AF90

Function 00EE4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77620: _wcslen.LIBCMT ref: 00E77625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00EE4ED4

Strings

*, xrefs: 00EE4E10
LPT, xrefs: 00EE4DFB

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: dd0e83df561e542f0efe4576bf117a38a4b77aae8d38ce52bb5d9c6c734fbda3
Instruction ID: 9a42bba42014382fd41a0483401f32a35401b6d623849ec816a4980395bbeb3a
Opcode Fuzzy Hash: dd0e83df561e542f0efe4576bf117a38a4b77aae8d38ce52bb5d9c6c734fbda3
Instruction Fuzzy Hash: A39195B5A00248DFCB14DF55C484EA9BBF1BF44708F19A099E44AAF3A2C731ED85CB91

Function 00E9E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E9E30D

Strings

pow, xrefs: 00E9E2E5, 00E9E302

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 434ba806b88cb5152dbe6545213367e17d493f6d898db060d77c7377e3440a1e
Instruction ID: 8f2df42efcde547eeb17bf7d663b21cc7919e5bc0eb8c1b33b84d2d4192386ae
Opcode Fuzzy Hash: 434ba806b88cb5152dbe6545213367e17d493f6d898db060d77c7377e3440a1e
Instruction Fuzzy Hash: A2519A61A0C20296CF15F714CD013BA3BE4EF46744F30BDA8E1D56A3A9EB319CD19A46

Function 00E8E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00E8E1B1

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 445ac65820b8500b1026e1acd0a540faad1a6c4dd3b9934f5ca03c10023ccddb
Instruction ID: ab05f9230269960bbb1ef39c89a836aba0c64adbb177b97f2a67a52f091852fa
Opcode Fuzzy Hash: 445ac65820b8500b1026e1acd0a540faad1a6c4dd3b9934f5ca03c10023ccddb
Instruction Fuzzy Hash: D7512371500246DFDB19EF68C481AFA7BA8EF25314F24A05AE859BB3D0D6359D43CB90

Function 00E8F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E8F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E8F2BB

Strings

@, xrefs: 00E8F2AF

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a746498986218af8cae3f6bbb2fa6fe9451d70a27b22ab59b6c4d8572fbbde0b
Instruction ID: b444ca2b0bc69ef3535c6f95d3d5066d6986a6dfca2e5f56814347f768dfbe45
Opcode Fuzzy Hash: a746498986218af8cae3f6bbb2fa6fe9451d70a27b22ab59b6c4d8572fbbde0b
Instruction Fuzzy Hash: FE5144725087489BD320EF20DC86BAFBBF8FB95304F81985DF1D9511A5EB308529CB66

Function 00EF5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00EF57E0
_wcslen.LIBCMT ref: 00EF57EC

Strings

CALLARGARRAY, xrefs: 00EF57E6, 00EF57EB

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: fe7b9ee86058fb11ce748887122cde606b70a19d8f5637e288fedf967e6bdb28
Instruction ID: f537ee969c8a7c7504f324e52423641ad3faa4a2f083ebf7458c8c1e17bafb48
Opcode Fuzzy Hash: fe7b9ee86058fb11ce748887122cde606b70a19d8f5637e288fedf967e6bdb28
Instruction Fuzzy Hash: 0141A671A001499FCB18DF68C4828BEBBF5FF69354F545129E605B7291D7349D41CB90

Function 00EED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EED13A

Strings

|, xrefs: 00EED10B

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d340eb2235cbc6bb423a31ac81379cbdcbad645de555d3075eaa38457bdc15c7
Instruction ID: 3dbdb44a8b9aad166eed9a9204a87fb2f85acd7d03551d750135c1afb268fbd7
Opcode Fuzzy Hash: d340eb2235cbc6bb423a31ac81379cbdcbad645de555d3075eaa38457bdc15c7
Instruction Fuzzy Hash: 5D312A71D01219ABCF15EFA5CC85AEEBFB9FF04304F005019F819B6166E731AA06DB61

Function 00F0356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F03621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F0365C

Strings

static, xrefs: 00F035BC

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a7b292dfb5a4843258f6287e32f31d09674dc211dcfb4d1088aa54a8bc028227
Instruction ID: 3e18be6ec4447dc513bc0d826d3bbb56be1ffe1d87dbd24b3fa5f45ea24c2ddb
Opcode Fuzzy Hash: a7b292dfb5a4843258f6287e32f31d09674dc211dcfb4d1088aa54a8bc028227
Instruction Fuzzy Hash: 33318D71500604AADB209F68DC80EFB73ADFF88764F109619F8A997290DA31AD91E760

Function 00F04537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00F0461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F04634

Strings

', xrefs: 00F0458E

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 29d399e12e4961e444eb31655b348b43efbd905f62fc6d76864095c228708c3a
Instruction ID: 2862d108c1ad0bb65fcea22032eec5055f1ec2eccf6bf984e23ec249cf3ab6aa
Opcode Fuzzy Hash: 29d399e12e4961e444eb31655b348b43efbd905f62fc6d76864095c228708c3a
Instruction Fuzzy Hash: 61313EB5A013099FDF14CFA5C980BEABBB5FF49300F144069EA04AB381E771A941EF90

Function 00E73923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EB33A2

Part of subcall function 00E76B57: _wcslen.LIBCMT ref: 00E76B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E73A04

Strings

Line: , xrefs: 00EB33EB

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: bff949e43f3f57a97ba6e834aa04f21f73ebc0ad43162fa8abba0decba03678a
Instruction ID: f5e03c04662b35cc9c79b5f2f12abdbe1b375182d0aabd0151be1e4e552a7aec
Opcode Fuzzy Hash: bff949e43f3f57a97ba6e834aa04f21f73ebc0ad43162fa8abba0decba03678a
Instruction Fuzzy Hash: 4431E571408304AAD764EB30DC46BEBB7E8AB85714F00A92AF59DA2191EB709648D7C2

Function 00F031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F0327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F03287

Strings

Combobox, xrefs: 00F03249

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 7d018ffff1fc39ee38f523e588da46a28c67d7a0a1b6264d58c0d9aeea434e6d
Instruction ID: caacc47fd84126c6896b0c5a6f80501d470b9da424cfe771d86c1f0eaaa8748d
Opcode Fuzzy Hash: 7d018ffff1fc39ee38f523e588da46a28c67d7a0a1b6264d58c0d9aeea434e6d
Instruction Fuzzy Hash: 3411B2717002087FEF219F54DC81EBB37AEEB943A4F104125F918972D0D6319D51B760

Function 00F03710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E7604C
Part of subcall function 00E7600E: GetStockObject.GDI32(00000011), ref: 00E76060
Part of subcall function 00E7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E7606A

GetWindowRect.USER32(00000000,?), ref: 00F0377A
GetSysColor.USER32(00000012), ref: 00F03794

Strings

static, xrefs: 00F03757

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6d76047708a7190ec51567411f5d504888bfb1caa89f33dcab171a3a4c0ad347
Instruction ID: 743a6f47a3c426d0a95cae95f710c04289110d5d9b0b30d2590d206439e8fb73
Opcode Fuzzy Hash: 6d76047708a7190ec51567411f5d504888bfb1caa89f33dcab171a3a4c0ad347
Instruction Fuzzy Hash: 571129B2610209AFDF10DFA8CC45AEA7BB8FB08354F004A15FD55E2290D735E851AB50

Function 00EECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EECDA6

Strings

<local>, xrefs: 00EECD66

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 5725f5bac83dcc46deb4ac1eff4762c72630e9622097cd99ffeeedb101015597
Instruction ID: e1f7c711e15005a92d9ad1f065478575cbc351ad1bbc7b7e3ec441d3ed435752
Opcode Fuzzy Hash: 5725f5bac83dcc46deb4ac1eff4762c72630e9622097cd99ffeeedb101015597
Instruction Fuzzy Hash: D511C67120567ABAD7344B678C45EE7BEACEF127A8F205226B509A3080D7759882D6F0

Function 00F03429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F034BA

Strings

edit, xrefs: 00F0348F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: cdf28d87e2d3708c67aa1db8c2b435aebe05a12476c687712d40cc0d805358dd
Instruction ID: 482c308ba66ac6b39b9264d4d5cf19465b493ad7e01c1bd46a95c1a9018b4641
Opcode Fuzzy Hash: cdf28d87e2d3708c67aa1db8c2b435aebe05a12476c687712d40cc0d805358dd
Instruction Fuzzy Hash: F4119D75500108AAEB218F64DC40AAA376EEB05374F504324F9649B1D0C771DC51B750

Function 00ED6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

CharUpperBuffW.USER32(?,?,?), ref: 00ED6CB6
_wcslen.LIBCMT ref: 00ED6CC2

Strings

STOP, xrefs: 00ED6CBC, 00ED6CC1

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: a36c02de85183022206324c24cc964609e33929676ab66b3a2f98db87d77550d
Instruction ID: 3ff533c22521137ead20f5da1f94d00a30a3cfb2bf825b2a2849951289361ae1
Opcode Fuzzy Hash: a36c02de85183022206324c24cc964609e33929676ab66b3a2f98db87d77550d
Instruction Fuzzy Hash: F30104326105278ACB20AFBDDC809BFB3F5EFA07147102926E852B2291EA31D802C750

Function 00ED1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

Part of subcall function 00ED3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00ED3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00ED1D4C

Strings

ComboBox, xrefs: 00ED1CEB
ListBox, xrefs: 00ED1D16

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6c428195d8ee0c9ed4834c04a791c40d4b266102233eaf7ca948ee5fc90396e9
Instruction ID: 3c7f80f1a8789e7f52cdb544a18f2fc26f4766b510efda4e7f5df669c1eeb2ad
Opcode Fuzzy Hash: 6c428195d8ee0c9ed4834c04a791c40d4b266102233eaf7ca948ee5fc90396e9
Instruction Fuzzy Hash: 58012831600218BBCB08EBA0CC11CFEB3A9FF52350B10160AF826773C2EB3059098661

Function 00ED1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

Part of subcall function 00ED3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00ED3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00ED1C46

Strings

ComboBox, xrefs: 00ED1BE5
ListBox, xrefs: 00ED1C10

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5aba250b0c1133f683ad4884456438bc93ed0d4e27ee32e75113a86b679f194a
Instruction ID: d75466361ddacea64b9a6764d3e2e47a7049901bd12e4181f67d62cfc392757b
Opcode Fuzzy Hash: 5aba250b0c1133f683ad4884456438bc93ed0d4e27ee32e75113a86b679f194a
Instruction Fuzzy Hash: 9A01A77579110876DF18EBA0CD52EFFF7E8DF51340F14205AA80A773C2EA249E0996B2

Function 00ED1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

Part of subcall function 00ED3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00ED3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00ED1CC8

Strings

ComboBox, xrefs: 00ED1C69
ListBox, xrefs: 00ED1C94

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d29ac6c3c20a34ed869c591b23891a683d924e145e906f8e0711eb8cf001753e
Instruction ID: 4fe253939e714ed6d4cb3149d87e01f8dda47b8f0a2f8720d79b4e02d97617dd
Opcode Fuzzy Hash: d29ac6c3c20a34ed869c591b23891a683d924e145e906f8e0711eb8cf001753e
Instruction Fuzzy Hash: 5901A27179011876DB18EBA0CA02EFEF3E8DF11340F142016B80673382EA219F0A9672

Function 00ED1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79CB3: _wcslen.LIBCMT ref: 00E79CBD

Part of subcall function 00ED3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00ED3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00ED1DD3

Strings

ComboBox, xrefs: 00ED1D75
ListBox, xrefs: 00ED1DA0

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 218e400545a210678015b1be9fff89ba3c3c864a0e4f5968b32f020df78be0a2
Instruction ID: ee8dc31149075606120a55c1fe31e0e101e634151dd28ad9d798ba68c29f5b9e
Opcode Fuzzy Hash: 218e400545a210678015b1be9fff89ba3c3c864a0e4f5968b32f020df78be0a2
Instruction Fuzzy Hash: 20F0F471B5021876DB08E7A4CC52EFEB3A8EF51354F042916B826733C2DB6099098271

Function 00EF747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EF7493
_wcslen.LIBCMT ref: 00EF74B9

Strings

3, 3, 16, 1, xrefs: 00EF7483

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: c84e38c787c20b3d337dac7922ba9b3dca5ac5c05fc170e9fff28d704eb08ab5
Instruction ID: 2a220f6bac386120bc5b3859660b16ca385379400e53a90930c146ae348bc211
Opcode Fuzzy Hash: c84e38c787c20b3d337dac7922ba9b3dca5ac5c05fc170e9fff28d704eb08ab5
Instruction Fuzzy Hash: 0BE02B4220432510933122799CC1D7F5AC9CFC9760710382BFAD1E22A6EAA4CD9293A1

Function 00ED0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00ED0B23

Strings

Error allocating memory., xrefs: 00ED0B1C
AutoIt, xrefs: 00ED0B17

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: b2857f9cf28be413964d73d705ca99388909072dc9f2253e33da72ac316be886
Instruction ID: bd159047a7092c4704500f686e57c780e282fd73adac9cf4fc7c7fb5027728af
Opcode Fuzzy Hash: b2857f9cf28be413964d73d705ca99388909072dc9f2253e33da72ac316be886
Instruction Fuzzy Hash: 76E0D83124430866D21437547C03F897BC48F05F65F105427F74CB55C38AD1649026EA

Function 00E90D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E8F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E90D71,?,?,?,00E7100A), ref: 00E8F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00E7100A), ref: 00E90D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E7100A), ref: 00E90D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E90D7F

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: dd69946c346dc0f4534f9491411d7e5b9ba8967162f48cfd8dc92ebd6220e16a
Instruction ID: 589b9d531e8e6a0b76a15e13563305d6aaaf01b2f03e760073f0e21c865772a7
Opcode Fuzzy Hash: dd69946c346dc0f4534f9491411d7e5b9ba8967162f48cfd8dc92ebd6220e16a
Instruction Fuzzy Hash: D2E09B742003018FD7309F78D4043427BE4BF10744F00492DE895D6A51D7B1E4449BD1

Function 00ECD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00ECD220

Strings

%.3d, xrefs: 00ECD22B
X64, xrefs: 00ECD2A8

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 15c817fe79008dd6eea5d2bd5915eac749d12129d0c571efee3e34887bc632aa
Instruction ID: bfbef61b3058e2117c5b7e65a29ef053dd2b3be228a5f5c634d8fb2370b23598
Opcode Fuzzy Hash: 15c817fe79008dd6eea5d2bd5915eac749d12129d0c571efee3e34887bc632aa
Instruction Fuzzy Hash: 71D012A1C0C108E9CB54B7D0CD45EFAB3BCFB09311F509476F80EB2050D636C54A6B61

Function 00F02356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F0236C
PostMessageW.USER32(00000000), ref: 00F02373

Part of subcall function 00EDE97B: Sleep.KERNEL32 ref: 00EDE9F3

Strings

Shell_TrayWnd, xrefs: 00F02365

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ca714e9569b8c161c661bba0484a73ba121e09d05ab7d1cd6af9d7379f0650bb
Instruction ID: e84751c2247f9f8c08bf527d84a094dfb56aaf783822f7f43e51e8b334cb70b5
Opcode Fuzzy Hash: ca714e9569b8c161c661bba0484a73ba121e09d05ab7d1cd6af9d7379f0650bb
Instruction Fuzzy Hash: EFD0C9763813147AE668B7709C0FFC67659AB44B14F504A167645EA2D0C9A0A8019A94

Function 00F02322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F0232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F0233F

Part of subcall function 00EDE97B: Sleep.KERNEL32 ref: 00EDE9F3

Strings

Shell_TrayWnd, xrefs: 00F02325

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5a7b8984b8eb020c42bee7033c3fd5bab26106d33212229914ab0a85fd15eabf
Instruction ID: 77337bd4085a82be35e612a27b8dac6efba85f2d84df0755d68a9ec82e819c7b
Opcode Fuzzy Hash: 5a7b8984b8eb020c42bee7033c3fd5bab26106d33212229914ab0a85fd15eabf
Instruction Fuzzy Hash: 37D02236380300B7E278B330DC0FFC67A08EB00B10F004A027709EA2D0C8F0E801CA90

Function 00EABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00EABE93
GetLastError.KERNEL32 ref: 00EABEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EABEFC

Memory Dump Source

Source File: 00000000.00000002.1724934928.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1724919453.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724988687.0000000000F32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725027374.0000000000F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725042302.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Arrival Notice.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1f0d74b1881eb055697c48fb4b81bed91027647eeadf91f7215c85447f326dc0
Instruction ID: ee80048911b4983c99103118b60bde9eb27370a6b8c4093f0c2eacfd25a75153
Opcode Fuzzy Hash: 1f0d74b1881eb055697c48fb4b81bed91027647eeadf91f7215c85447f326dc0
Instruction Fuzzy Hash: D9411A38705246AFCF218F64CC54ABA7BA5EF4B314F185269F959BF1A2DB30AD00DB50

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Arrival Notice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autF9A7.tmp

C:\Users\user\AppData\Local\Temp\fondaco

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
Arrival Notice.exe

Function 00E742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00E742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00EDDBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Function 00E72CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00EA8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 00EB065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00E7344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00E72B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00E73170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01963228 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00E72C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01962FF8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Function 00EE2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00EA5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre