Edit tour

Windows Analysis Report
Offer 2024-30496.exe

Overview

General Information

Sample name:	Offer 2024-30496.exe
Analysis ID:	1501080
MD5:	ab64db1f849b146e66310ae4533bae41
SHA1:	dfeddf8068abf927b764f81759ca840e9dfaf52d
SHA256:	b1b41226d170c28b22a37e77ae8c81accdd3c192fc5847bbde50b48a4fbb34c6
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Offer 2024-30496.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\Offer 2024-30496.exe" MD5: AB64DB1F849B146E66310AE4533BAE41)

RegSvcs.exe (PID: 6408 cmdline: "C:\Users\user\Desktop\Offer 2024-30496.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "directora@grg.com.mx", "Password": "34(fgj5n]hjE", "Host": "dot1n2002.servwingu.mx", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14baf:$a1: get_encryptedPassword 0x14e9b:$a2: get_encryptedUsername 0x149bb:$a3: get_timePasswordChanged 0x14ab6:$a4: get_passwordField 0x14bc5:$a5: set_encryptedPassword 0x16236:$a7: get_logins 0x16199:$a10: KeyLoggerEventArgs 0x15e04:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c9a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1bbd3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1c006:$a4: \Orbitum\User Data\Default\Login Data 0x1d045:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15793:$s1: UnHook 0x1579a:$s2: SetHook 0x157a2:$s3: CallNextHook 0x157af:$s4: _hook
00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18554:$x1: $%SMTPDV$ 0x185ba:$x2: $#TheHashHere%& 0x19bdb:$x3: %FTPDV$ 0x19ccf:$x4: $%TelegramDv$ 0x15e04:$x5: KeyLoggerEventArgs 0x16199:$x5: KeyLoggerEventArgs 0x19bff:$m2: Clipboard Logs ID 0x19e1f:$m2: Screenshot Logs ID 0x19f2f:$m2: keystroke Logs ID 0x1a209:$m3: SnakePW 0x19df7:$m4: \SnakeKeylogger\
00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x149af:$a1: get_encryptedPassword 0x14c9b:$a2: get_encryptedUsername 0x147bb:$a3: get_timePasswordChanged 0x148b6:$a4: get_passwordField 0x149c5:$a5: set_encryptedPassword 0x16036:$a7: get_logins 0x15f99:$a10: KeyLoggerEventArgs 0x15c04:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18354:$x1: $%SMTPDV$ 0x183ba:$x2: $#TheHashHere%& 0x199db:$x3: %FTPDV$ 0x19acf:$x4: $%TelegramDv$ 0x15c04:$x5: KeyLoggerEventArgs 0x15f99:$x5: KeyLoggerEventArgs 0x199ff:$m2: Clipboard Logs ID 0x19c1f:$m2: Screenshot Logs ID 0x19d2f:$m2: keystroke Logs ID 0x1a009:$m3: SnakePW 0x19bf7:$m4: \SnakeKeylogger\
00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.5018441738.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Offer 2024-30496.exe PID: 6212	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Offer 2024-30496.exe PID: 6212	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Offer 2024-30496.exe PID: 6212	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1da5ec:$a1: get_encryptedPassword 0x1da8ce:$a2: get_encryptedUsername 0x1da402:$a3: get_timePasswordChanged 0x1da4fd:$a4: get_passwordField 0x1da602:$a5: set_encryptedPassword 0x1dcbe1:$a7: get_logins 0x1dcb44:$a10: KeyLoggerEventArgs 0x1dc7af:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Offer 2024-30496.exe PID: 6212	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1dc7af:$x5: KeyLoggerEventArgs 0x1dcb44:$x5: KeyLoggerEventArgs 0x1dd44b:$x5: KeyLoggerEventArgs 0x1dd7ac:$x5: KeyLoggerEventArgs 0x1deda5:$m2: Clipboard Logs ID 0x1dee9c:$m2: Screenshot Logs ID 0x1deef2:$m2: keystroke Logs ID 0x1df027:$m3: SnakePW 0x1dee88:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 6408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6408	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 6408	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5b626:$a1: get_encryptedPassword 0x5b908:$a2: get_encryptedUsername 0x5b43c:$a3: get_timePasswordChanged 0x5b537:$a4: get_passwordField 0x5b63c:$a5: set_encryptedPassword 0x5dc1b:$a7: get_logins 0x5db7e:$a10: KeyLoggerEventArgs 0x5d7e9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6408	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5d7e9:$x5: KeyLoggerEventArgs 0x5db7e:$x5: KeyLoggerEventArgs 0x5e485:$x5: KeyLoggerEventArgs 0x5e7e6:$x5: KeyLoggerEventArgs 0x5fddf:$m2: Clipboard Logs ID 0x5fed6:$m2: Screenshot Logs ID 0x5ff2c:$m2: keystroke Logs ID 0x60061:$m3: SnakePW 0x5fec2:$m4: \SnakeKeylogger\
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Offer 2024-30496.exe.1200000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Offer 2024-30496.exe.1200000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Offer 2024-30496.exe.1200000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12daf:$a1: get_encryptedPassword 0x1309b:$a2: get_encryptedUsername 0x12bbb:$a3: get_timePasswordChanged 0x12cb6:$a4: get_passwordField 0x12dc5:$a5: set_encryptedPassword 0x14436:$a7: get_logins 0x14399:$a10: KeyLoggerEventArgs 0x14004:$a11: KeyLoggerEventArgsEventHandler
0.2.Offer 2024-30496.exe.1200000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1aba1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19dd3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a206:$a4: \Orbitum\User Data\Default\Login Data 0x1b245:$a5: \Kometa\User Data\Default\Login Data
0.2.Offer 2024-30496.exe.1200000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13993:$s1: UnHook 0x1399a:$s2: SetHook 0x139a2:$s3: CallNextHook 0x139af:$s4: _hook
0.2.Offer 2024-30496.exe.1200000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16754:$x1: $%SMTPDV$ 0x167ba:$x2: $#TheHashHere%& 0x17ddb:$x3: %FTPDV$ 0x17ecf:$x4: $%TelegramDv$ 0x14004:$x5: KeyLoggerEventArgs 0x14399:$x5: KeyLoggerEventArgs 0x17dff:$m2: Clipboard Logs ID 0x1801f:$m2: Screenshot Logs ID 0x1812f:$m2: keystroke Logs ID 0x18409:$m3: SnakePW 0x17ff7:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14baf:$a1: get_encryptedPassword 0x14e9b:$a2: get_encryptedUsername 0x149bb:$a3: get_timePasswordChanged 0x14ab6:$a4: get_passwordField 0x14bc5:$a5: set_encryptedPassword 0x16236:$a7: get_logins 0x16199:$a10: KeyLoggerEventArgs 0x15e04:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c9a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1bbd3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1c006:$a4: \Orbitum\User Data\Default\Login Data 0x1d045:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15793:$s1: UnHook 0x1579a:$s2: SetHook 0x157a2:$s3: CallNextHook 0x157af:$s4: _hook
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18554:$x1: $%SMTPDV$ 0x185ba:$x2: $#TheHashHere%& 0x19bdb:$x3: %FTPDV$ 0x19ccf:$x4: $%TelegramDv$ 0x15e04:$x5: KeyLoggerEventArgs 0x16199:$x5: KeyLoggerEventArgs 0x19bff:$m2: Clipboard Logs ID 0x19e1f:$m2: Screenshot Logs ID 0x19f2f:$m2: keystroke Logs ID 0x1a209:$m3: SnakePW 0x19df7:$m4: \SnakeKeylogger\
0.2.Offer 2024-30496.exe.1200000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Offer 2024-30496.exe.1200000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Offer 2024-30496.exe.1200000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Offer 2024-30496.exe.1200000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14baf:$a1: get_encryptedPassword 0x14e9b:$a2: get_encryptedUsername 0x149bb:$a3: get_timePasswordChanged 0x14ab6:$a4: get_passwordField 0x14bc5:$a5: set_encryptedPassword 0x16236:$a7: get_logins 0x16199:$a10: KeyLoggerEventArgs 0x15e04:$a11: KeyLoggerEventArgsEventHandler
0.2.Offer 2024-30496.exe.1200000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c9a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1bbd3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1c006:$a4: \Orbitum\User Data\Default\Login Data 0x1d045:$a5: \Kometa\User Data\Default\Login Data
0.2.Offer 2024-30496.exe.1200000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15793:$s1: UnHook 0x1579a:$s2: SetHook 0x157a2:$s3: CallNextHook 0x157af:$s4: _hook
0.2.Offer 2024-30496.exe.1200000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18554:$x1: $%SMTPDV$ 0x185ba:$x2: $#TheHashHere%& 0x19bdb:$x3: %FTPDV$ 0x19ccf:$x4: $%TelegramDv$ 0x15e04:$x5: KeyLoggerEventArgs 0x16199:$x5: KeyLoggerEventArgs 0x19bff:$m2: Clipboard Logs ID 0x19e1f:$m2: Screenshot Logs ID 0x19f2f:$m2: keystroke Logs ID 0x1a209:$m3: SnakePW 0x19df7:$m4: \SnakeKeylogger\
Click to see the 15 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.12 - Destination IP: 193.122.6.168

Timestamp:	2024-08-29T12:02:49.854492+0200
SID:	2803274
Severity:	2
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.12 - Destination IP: 193.122.6.168

Timestamp:	2024-08-29T12:02:48.932595+0200
SID:	2803274
Severity:	2
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.12 - Destination IP: 193.122.6.168

Timestamp:	2024-08-29T12:02:51.307595+0200
SID:	2803274
Severity:	2
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.12 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T12:02:59.756690+0200
SID:	2803305
Severity:	3
Source Port:	49726
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.12 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T12:02:50.601139+0200
SID:	2803305
Severity:	3
Source Port:	49713
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "directora@grg.com.mx", "Password": "34(fgj5n]hjE", "Host": "dot1n2002.servwingu.mx", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Offer 2024-30496.exe	Virustotal: Detection: 54%			Perma Link
Source: Offer 2024-30496.exe	ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Offer 2024-30496.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Offer 2024-30496.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.12:49712 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: Offer 2024-30496.exe, 00000000.00000003.2547601761.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, Offer 2024-30496.exe, 00000000.00000003.2548483663.0000000003B00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Offer 2024-30496.exe, 00000000.00000003.2547601761.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, Offer 2024-30496.exe, 00000000.00000003.2548483663.0000000003B00000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009BDBBE
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_0098C2A2 FindFirstFileExW,	0_2_0098C2A2
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C68EE FindFirstFileW,FindClose,	0_2_009C68EE
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_009C698F
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009BD076
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009BD3A9
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009C9642
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009C979D
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_009C9B2B
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_009C5C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0112EB26h	2_2_0112E938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0112F4B0h	2_2_0112E938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0112FB41h	2_2_0112F880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0112E48B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0112DE58

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49711 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49714 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49713 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49726 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.12:49712 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009CCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_009CCE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Offer 2024-30496.exe, 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Offer 2024-30496.exe, 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33x

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_009CEAFF

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_009CED6A

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

0_2_009CEAFF

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_009BAA57

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_009E9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: Offer 2024-30496.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Offer 2024-30496.exe, 00000000.00000000.2535803945.0000000000A12000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_64b53bec-5
Source: Offer 2024-30496.exe, 00000000.00000000.2535803945.0000000000A12000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1eab6e4b-4
Source: Offer 2024-30496.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a4e8ee32-7
Source: Offer 2024-30496.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cc1c3864-a

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009BD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_009BD5EB

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_009B1201

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_009BE8F6

Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C2046	0_2_009C2046
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00958060	0_2_00958060
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009B8298	0_2_009B8298
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_0098E4FF	0_2_0098E4FF
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_0098676B	0_2_0098676B
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009E4873	0_2_009E4873
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_0097CAA0	0_2_0097CAA0
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_0095CAF0	0_2_0095CAF0
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_0096CC39	0_2_0096CC39
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00986DD9	0_2_00986DD9
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009591C0	0_2_009591C0
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_0096B119	0_2_0096B119
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00971394	0_2_00971394
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00971706	0_2_00971706
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_0097781B	0_2_0097781B
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009719B0	0_2_009719B0
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00957920	0_2_00957920
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_0096997D	0_2_0096997D
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00977A4A	0_2_00977A4A
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00977CA7	0_2_00977CA7
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00971C77	0_2_00971C77
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00989EEE	0_2_00989EEE
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009DBE44	0_2_009DBE44
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00971F32	0_2_00971F32
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00BD35D0	0_2_00BD35D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01126120	2_2_01126120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0112C1A8	2_2_0112C1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0112C488	2_2_0112C488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0112B740	2_2_0112B740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0112C76B	2_2_0112C76B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0112E938	2_2_0112E938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01129868	2_2_01129868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01126898	2_2_01126898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0112F880	2_2_0112F880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0112BBEB	2_2_0112BBEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0112CA4B	2_2_0112CA4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01124ABA	2_2_01124ABA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0112BEC8	2_2_0112BEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01123573	2_2_01123573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0112DE58	2_2_0112DE58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0112DE47	2_2_0112DE47

Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: String function: 00959CB3 appears 31 times
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: String function: 0096F9F2 appears 40 times
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: String function: 00970A30 appears 46 times

Source: Offer 2024-30496.exe, 00000000.00000003.2548074585.0000000003DCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Offer 2024-30496.exe
Source: Offer 2024-30496.exe, 00000000.00000003.2556243974.0000000003C23000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Offer 2024-30496.exe
Source: Offer 2024-30496.exe, 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Offer 2024-30496.exe

Source: Offer 2024-30496.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, U-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, U-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@2/2

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009C37B5 GetLastError,FormatMessageW,

0_2_009C37B5

Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009B10BF AdjustTokenPrivileges,CloseHandle,		0_2_009B10BF
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009B16C3

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009C51CD

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009DA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_009DA67C

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_009C648E

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009542A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

File created: C:\Users\user\AppData\Local\Temp\aut7867.tmp

Jump to behavior

Source: Offer 2024-30496.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000003025000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5019492524.0000000003C2E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000003019000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002FE3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Offer 2024-30496.exe	Virustotal: Detection: 54%
Source: Offer 2024-30496.exe	ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\Offer 2024-30496.exe "C:\Users\user\Desktop\Offer 2024-30496.exe"
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Offer 2024-30496.exe"
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Offer 2024-30496.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Offer 2024-30496.exe

Static file information: File size 73400320 > 1048576

Source: Offer 2024-30496.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Offer 2024-30496.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Offer 2024-30496.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Offer 2024-30496.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Offer 2024-30496.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Offer 2024-30496.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Offer 2024-30496.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Offer 2024-30496.exe, 00000000.00000003.2547601761.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, Offer 2024-30496.exe, 00000000.00000003.2548483663.0000000003B00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Offer 2024-30496.exe, 00000000.00000003.2547601761.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, Offer 2024-30496.exe, 00000000.00000003.2548483663.0000000003B00000.00000004.00001000.00020000.00000000.sdmp

Source: Offer 2024-30496.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Offer 2024-30496.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Offer 2024-30496.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Offer 2024-30496.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Offer 2024-30496.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009542DE

Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00970A76 push ecx; ret	0_2_00970A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_011242D7 push ebx; ret	2_2_011242DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_011224B9 push 8BFFFFFFh; retf	2_2_011224BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01129720 push esp; ret	2_2_01129721

Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_0096F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0096F98E
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_009E1C41

Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-99947

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

API/Special instruction interceptor: Address: BD31F4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598229	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597904	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1840			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8012			Jump to behavior

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

API coverage: 3.8 %

Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009BDBBE
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_0098C2A2 FindFirstFileExW,	0_2_0098C2A2
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C68EE FindFirstFileW,FindClose,	0_2_009C68EE
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_009C698F
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009BD076
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009BD3A9
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009C9642
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009C979D
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_009C9B2B
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_009C5C97

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009542DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598229	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597904	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: Vmwaretrat
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q*C:\windows\System32\Drivers\vmmousever.dll
Source: RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vboxservice
Source: RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vboxtrayOC:\windows\System32\Drivers\Vmmouse.sysMC:\windows\System32\Drivers\vm3dgl.dllMC:\windows\System32\Drivers\vmtray.dllWC:\windows\System32\Drivers\VMToolsHook.dllUC:\windows\System32\Drivers\vmmousever.dllSC:\windows\System32\Drivers\VBoxMouse.sysSC:\windows\System32\Drivers\VBoxGuest.sysMC:\windows\System32\Drivers\VBoxSF.sysSC:\windows\System32\Drivers\VBoxVideo.sysGC:\windows\System32\vboxservice.exe
Source: RegSvcs.exe, 00000002.00000002.5020167632.0000000006240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\windows\System32\Drivers\vmmousever.dll
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q#C:\windows\System32\vboxservice.exe
Source: RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: Vmtoolsd
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q+C:\windows\System32\Drivers\VMToolsHook.dll
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q)C:\windows\System32\Drivers\VBoxMouse.sys
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q)C:\windows\System32\Drivers\VBoxGuest.sys
Source: RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: Vmwareuser
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'C:\windows\System32\Drivers\Vmmouse.sys
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q&C:\windows\System32\Drivers\VBoxSF.sys
Source: RegSvcs.exe, 00000002.00000002.5017711623.0000000000D86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009CEAA2 BlockInput,

0_2_009CEAA2

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_00982622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00982622

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009542DE

Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00974CE8 mov eax, dword ptr fs:[00000030h]	0_2_00974CE8
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00BD34C0 mov eax, dword ptr fs:[00000030h]	0_2_00BD34C0
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00BD3460 mov eax, dword ptr fs:[00000030h]	0_2_00BD3460
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00BD1E70 mov eax, dword ptr fs:[00000030h]	0_2_00BD1E70

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_009B0B62

Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00982622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00982622
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_0097083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0097083F
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009709D5 SetUnhandledExceptionFilter,	0_2_009709D5
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_00970C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00970C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B15008

Jump to behavior

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

0_2_009B1201

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_00992BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00992BA5

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009BB226 SendInput,keybd_event,

0_2_009BB226

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009D22DA

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Offer 2024-30496.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

0_2_009B0B62

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_009B1663

Source: Offer 2024-30496.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Offer 2024-30496.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_00970698 cpuid

0_2_00970698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_009C8195

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009AD27A GetUserNameW,

0_2_009AD27A

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_0098B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0098B952

Source: C:\Users\user\Desktop\Offer 2024-30496.exe

Code function: 0_2_009542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009542DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.5018441738.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Offer 2024-30496.exe	Binary or memory string: WIN_81
Source: Offer 2024-30496.exe	Binary or memory string: WIN_XP
Source: Offer 2024-30496.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Offer 2024-30496.exe	Binary or memory string: WIN_XPe
Source: Offer 2024-30496.exe	Binary or memory string: WIN_VISTA
Source: Offer 2024-30496.exe	Binary or memory string: WIN_7
Source: Offer 2024-30496.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.5018441738.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR

Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_009D1204
Source: C:\Users\user\Desktop\Offer 2024-30496.exe	Code function: 0_2_009D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_009D1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	221 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Virtualization/Sandbox Evasion	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Offer 2024-30496.exe	55%	Virustotal		Browse
Offer 2024-30496.exe	50%	ReversingLabs	Win32.Trojan.AgentTesla
Offer 2024-30496.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33x	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.6.168	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.5018441738.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33x	RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	Offer 2024-30496.exe, 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	Offer 2024-30496.exe, 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501080
Start date and time:	2024-08-29 12:01:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Offer 2024-30496.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 49 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 6408 because it is empty
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:02:48	API Interceptor	11251675x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Document_pdf.exe	Get hash	malicious	FormBook	Browse	www.x0x9x8x8x7x6.shop/dscg/
	QUOTATION_AUGQTRA071244#U00b7PDF.scr	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/zbi9vNYx/download
	z1209627360293827.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.coinwab.com/kqqj/
	file.exe	Get hash	malicious	LummaC	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	Rudvfa0Z17.exe	Get hash	malicious	Nitol	Browse	web.ad87h92j.com/4/t.bmp
	nOyswc9ly2.dll	Get hash	malicious	Unknown	Browse	web.ad87h92j.com/4/t.bmp
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/0U9QqTZ6/download
	QUOTATION_AUGQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/e0pM9Trc/download
	steam_module_x64.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	671893cm.n9shka.top/eternalpipeLowProcessDbDatalifewpPublicCdn.php
	http://membership.garenaa.id.vn/css/tunnel.aspx/manager10.jsp	Get hash	malicious	Unknown	Browse	membership.garenaa.id.vn/user/login/images/fb_ico.png
193.122.6.168	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Bukti-Transfer.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Statement of Account.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	FACTURA PENDIENTE DE COBRO P24PM0531563.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO-890.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	P.O_23514.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	STATEMENT Aug 2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Spec sheet.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	df24c9ca-d50b-c720-84ed-638e99f68d75.eml	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	18__ e_t___s#U00b5__ 2,6_ G___F____ _._.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Scanned copy payment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	STATEMENT Aug 2024.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Spec sheet.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	df24c9ca-d50b-c720-84ed-638e99f68d75.eml	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	18__ e_t___s#U00b5__ 2,6_ G___F____ _._.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Scanned copy payment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Spec sheet.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	https://ca.docusign.net/Signing/EmailStart.aspx?a=f73cd823-d46e-4c1d-9aa7-a3313bd2d402&etti=24&acct=9d2cdf2a-d1fa-4c66-83f5-9dd312af890e&er=68a0e22a-40d9-446a-8837-385c38bcc4d8	Get hash	malicious	Unknown	Browse	192.29.14.118
	18__ e_t___s#U00b5__ 2,6_ G___F____ _._.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	DETAILING_INFO_0321.vbe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	GCBrnEGE22coKRz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse	130.35.100.56
CLOUDFLARENETUS	Po#70831.exe	Get hash	malicious	Azorult	Browse	172.67.128.117
	payment PAGO 2974749647839452.js	Get hash	malicious	Unknown	Browse	162.159.130.233
	Document_pdf.exe	Get hash	malicious	FormBook	Browse	104.21.62.58
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.13.205
	https://my.manychat.com/r?act=179c825ab8add5f9e8bacb82e520a126&u=7459244230843026&p=108345799024755&h=708b8c96be&fbclid=IwZXh0bgNhZW0CMTAAAR07FD8Q65AMa77uMdYFT9FANMjTbvHV0BrVDR-o7WBQKwVAUtHYk2rnVVU_aem_OFd7GNUGsZzyslAWr711gg	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://tinyurl.com/NDCEurope	Get hash	malicious	Unknown	Browse	104.18.86.42
	OJO!!! No lo he abiertoFwd_ Message From 646___xbx2.eml	Get hash	malicious	Unknown	Browse	172.67.146.213
	ORDER_38746_pdf.exe	Get hash	malicious	FormBook	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	STATEMENT Aug 2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Spec sheet.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	cY-5134-kfF.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	cY-5134-kfF.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	18__ e_t___s#U00b5__ 2,6_ G___F____ _._.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\Offer 2024-30496.exe
File Type:	data
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	6.784760282767791
Encrypted:	false
SSDEEP:	3072:5pK0886gkpsimP2C+wDGnql0N5cogJBDPwd3Z1G4b:af0kPuogJBLw/A4b
MD5:	9F7A82B397BCA50BA439B9BBCFEF0EE9
SHA1:	70E268BBDBF5D0DC7675C9522DA13B9CCF7A5D4C
SHA-256:	87154983949ED44BD0A224338185711AA615721F101A652617F26F1843F06B98
SHA-512:	290D1FFEF51239FC4F19CB4024BA3A8A375D36B6E2896E68855A03585368338730FF4452E07031673F9D3FF0D2861394687A370580CD7D433D0CB66EB096745D
Malicious:	false
Reputation:	low
Preview:	\|..F11UE=F11..F2.UE9F11O.F21UE9F11OPF21UE9F11OPF21UE9F11OPF2.UE9H..AP.;.t.8....8/A.%7V!CP"p%S_;MfSTo"3\.<+..~bo=)VT{H4L.1OPF21U.\|F1}NSF...#9F11OPF2.UG8M0aOP.31UQ9F11OP.3UE.F11oRF21.E9f11ORF25UE9F11OTF21UE9F1QMPF01UE9F13O..21EE9V11OPV21EE9F11O@F21UE9F11OP.*3U.9F11oRF.!UE9F11OPF21UE9F11OP.01YE9F11OPF21UE9F11OPF21UE9F11OPF21UE9F11OPF21UE9F11OPF.1UM9F11OPF21UE1f11.PF21UE9F11O~2WI!E9F..NPF.1UE.G11MPF21UE9F11OPF2.UEYhCB=3F21.U9F1.MPF 1UE.G11OPF21UE9F11.PFr.' U)R1O\F21U.;F13OPF<3UE9F11OPF21UEyF1sOPF21UE9F11OPF21.];F11OP.21UG9C1.mQFV.UE:F11.PF4.wD9.11OPF21UE9F11OPF21UE9F11OPF21UE9F11OPF21UE9.L.@...X&..F11OPF33VA?N91OPF21UEGF11.PF2qUE9q11OuF218E9F.1OP821U;9F1UOPF@1UEXF11.PF2^UE9(11O.F21KG.f11Ez`23}d9F;1e.5.1UO.G11K#e21_.;F15<tF2;.F9F5BjPF8.QE9BB.OPL.4UE=lk1L.P41U^V.11EPE.$SE9]..ORn.1UO9l.1L.S41U^.d13.YF25..J[11Ix.21_10F13.ZF25.[;nu1OZl.OEE9B.1er8#1UA.F..1BF25~E.dO"OPB.1.gGR11K{F./W.-F15er8'1UA.F..1FF25~E.dO&OPB.1.[;.&1OTl4.7EK8-1?S).1UC..11Ex&21SE.\|1OoPF63:.9F;.efF@.tEIn.1OV`.oUG.B01EPD1LcE9B

C:\Users\user\AppData\Local\Temp\aut7867.tmp

Download File

Process:	C:\Users\user\Desktop\Offer 2024-30496.exe
File Type:	data
Category:	dropped
Size (bytes):	88398
Entropy (8bit):	7.912635002456745
Encrypted:	false
SSDEEP:	1536:h6Ptvk6OZeOFF2eyDQ8GjkivpOP/PecH+Ud2/qgJ/Bhj28ui90cV:EPtv5OwFeyDQ3jvOP3eO+UdJgf28ui9T
MD5:	43AB157343F22E4439BB9918497F03BB
SHA1:	AD188704741D693C46532C77B8481DCC31AB4A00
SHA-256:	455C4E78539B2B4BCCBECD478E3617DEDD02BD09BAD89F4FA2F09DDE344C7EBB
SHA-512:	A329AB84C1AD037D75801B82A174F921EDA24A5C034FEA38C7513160D1734F4FF0A0398F52C4FF49642CE6CF8522005857DF29D0725857719733B1EDD632B205
Malicious:	false
Reputation:	low
Preview:	EA06.....Ex.i..E.....}.e...g .e>!F.L@..P.... .e"]...>S....8.."...........BEp....U6.S.[.S:.Fy+....+\|.SV.^..JdT.71[..c}.T....F....V.8..,4...g1..@...L.X..Yo....Z,...,...P....&.Q..(....L.....cE..j..MX...,h....,.i...7......0..@B? ...%1..@..1.. ..=.L.....Y..../..1..@.~..V.Y.P.S..........@.Bqh....>.F.G......1.....,....Q..0....F...,>>-vv..C...<.1..j4j...E......i...'?.....L..;.^.bM....bg3.Pg.........$.,.........,N...!.p.BN..J..a@.,+... .........\.XR......z.L.w.$.;..s.X......)r;,.c_.h.Y..2..h.4.j.Q.....sB.E...f.h..[-s.f..4..k.k..iP..$.:,.....V.@.i9.E..J.....Lf\|...A...s..&...c&3....Z..ks.u.cO.["..%....nS...A.Q.q9.....QbvJ\|..P.Ff7.=...J^..}_.-.....8.f.......b.;.I...d.77.......).Lj.8.....I.S...'\|.....4.g:....{-..@..(..t.cO.X#....#B..n.I.2..4L.+8.59.R...dkUU....8.v.F..76.X.3..~h......B.!<z.....B#`.X..!<....$....:....Se...8..&..4...D....2[.Lj6...g2.O@....2.H@,...;..+@.l^.>....J.. .....[......-....E......i.....h....s....x..wz<.v...".9w ...S.VI..P....5)....4...-..&t.

C:\Users\user\AppData\Local\Temp\aut78D6.tmp

Download File

Process:	C:\Users\user\Desktop\Offer 2024-30496.exe
File Type:	data
Category:	dropped
Size (bytes):	43580
Entropy (8bit):	7.818095769091543
Encrypted:	false
SSDEEP:	768:MSvSxC8TemadpQZaunCduBaFISx2tEVDUQaOhFd:MGSQnvpQcea6y2SVDDa0z
MD5:	878530CC86543A8771F41F6C891DDF2A
SHA1:	3F2726B7E2AF472BA6910808ABE1877184BA41BF
SHA-256:	C568E6B7B279C5A22DC5AFF145A9B02D0AAF7C1311E6400FE778C5E0DC6B0D2A
SHA-512:	106798220E5C83D1262A927CCD6D1F8E9F2FC591CB0AB289E3A5582BD323936E77EACE7266CB47697AEEF67F98A717065DF597A72570CA83110F4447F4EBACE9
Malicious:	false
Reputation:	low
Preview:	EA06..P...)sy..g5.....6.S..Zt.gC...9.^m5..uY..6..s...eH.......3.V.sZ\|.mN..i.9.^m2.L....6m2....Y..3.U... .36.L..I..3..&sJ..kR..)S9.Jm2...5Y..3........T..+ ....6..)@..Fm4.L...."m2..5...3.Tfs.\|.`..S@....3.......g9...Y..3.U.s.d.eZ..f...3.S.....P..@!...9H..j.9..g5....9..6.Sfs....3..........R......a...4...6..l.)..6.T&....mH.L.`..H...........L.5@.....R&.Z\.d.~T&s:..gN...39.bg0...3...mZ......p.r.:..%$...fs:..eT.....u....i.<.0..9.q)..L.3....P.&eY.Mh@.5,.J...@.@..I./@....j.NQ.s@..3....9...&.i5`!8.....zI.D....h..6... ...6...i. .5L.9..1F.D..l..N@j.,.d.....i......6T`..l <...a....Y..6..s:<.gS..@L..2..eU.g..j.6..;.P'j.6...<...M......Z....s..".3.UfsJD.mW.M. ..L....Dh.t..L...J...V.C....3..@..%...`M..)..6.Qf.j..uH.... ......P......39..@.....@..........l.LM..i..g9....J...G..........T.. ...6..&.. @.....@..bl...&...b.6...kjX..G."..d.....L. X ...:T&.:@..Z... .p.@.NPfsl....Ei.....:...@.%L.m..&.......x...8.R...@. ...3.R.l...J.k.@p.H...T).....Q...\..T.Hh3i.bm1..@+..*.

C:\Users\user\AppData\Local\Temp\preinhered

Download File

Process:	C:\Users\user\Desktop\Offer 2024-30496.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	86022
Entropy (8bit):	4.178837296097941
Encrypted:	false
SSDEEP:	1536:jKq5ajZwcez04TTAo/CgXwS3AFkqkY4TG+:j+lwcnF2DnqkHf
MD5:	1B3AFDCC863D12EFBB3DD606A11AD349
SHA1:	6A3B2FCB28923421E7F2CCD7B27444F682F66BD5
SHA-256:	445E5D81D305C251A51B65A7276A7C095C93323056DB114D0A53F5B2820F98B5
SHA-512:	EDBE8070AB3EDE27BED76BDC57288FE6DC04EA132B8B7FCA0953BC40F7A5416203F81AD4BC0A81419CBD181D6994A10C53A68E24716FB56D52FA42561D83E97A
Malicious:	false
Reputation:	low
Preview:	30K78G35Q35Y38Z62O65N63C38V31W65O63U63M63V30B32H30H30V30C30Z35O36N35H37W62B38G36M62U30E30N30W30C30D30C36J36D38P39P34X35R38J34R62I39U36O35C30E30C30V30T30Y30E36D36C38J39P34Q64H38H36C62K61X37Q32Q30O30U30M30E30O30I36I36Y38C39K35U35V38W38L62Z38V36K65F30L30Y30R30D30P30H36O36W38H39V34D35M38S61Y62M39E36F35D30Z30V30Q30U30J30U36Y36D38U39O34Y64R38R63B62P61R36H63S30M30R30Y30T30U30Q36O36D38B39T35H35U38H65K62R38P33X33N30C30I30X30A30B30S36Z36U38C39P34T35U39F30I62R39Y33U32T30Q30V30V30B30Z30O36V36F38W39J34N64R39W32L62E61R32Y65B30I30K30J30L30W30R36U36I38V39F35M35I39G34I62O38E36C34G30S30T30V30H30B30D36C36J38Q39P34Q35H39T36F62Z39F36Q63T30E30D30E30L30H30C36J36F38U39O34G64G39Z38E62S61Y36O63A30P30M30V30F30V30B36V36Y38A39J35J35E39C61B33G33S63C30S36D36E38C39T34Y35I39A63R62E39U36U65G30W30T30T30M30H30F36A36Z38A39K38N64H34U34H66W66Y66W66S66S66K62K61X37T34F30F30Q30Z30A30F30Z36C36S38N39Q39K35V34L36N66B66I66E66T66W66H62Z38N36F34N30G30G30E30H30S30R36L36N38M39D38P35H34I38I66N66W66E66J66O66D62F39H36U63Q30K30G30F30O30S3

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.19431788377763193
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Offer 2024-30496.exe
File size:	73'400'320 bytes
MD5:	ab64db1f849b146e66310ae4533bae41
SHA1:	dfeddf8068abf927b764f81759ca840e9dfaf52d
SHA256:	b1b41226d170c28b22a37e77ae8c81accdd3c192fc5847bbde50b48a4fbb34c6
SHA512:	b4df4dbcac88cb96baea463624ab8eeabc64a5ef04128bea479814b882b241d4eab923ac4c77b9b29ae8e65911c9ad9633aec2ccc35de0695a5ce731820809f5
SSDEEP:	24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8aE1/XkV/+:ETvC/MTQYxsWR7aE1/X
TLSH:	9FF7BF0273C1D062FF9B92334B5AF6515BBC69260123E61F13A81DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C2E21C [Mon Aug 19 06:11:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F6CF8D1A1E3h
jmp 00007F6CF8D19AEFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6CF8D19CCDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6CF8D19C9Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F6CF8D1C88Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F6CF8D1C8D8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F6CF8D1C8C1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x37120	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10c000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x37120	0x37200	124f9d2a6393d50089c3b5799d1a429a	False	0.8807132227891157	data	7.777200669057321	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10c000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x2e3e6	data			1.0003484430929075
RT_GROUP_ICON	0x10aba0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x10ac18	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10ac2c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x10ac40	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10ac54	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x10ad30	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-29T12:02:49.854492+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49711	80	192.168.2.12	193.122.6.168
2024-08-29T12:02:48.932595+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49711	80	192.168.2.12	193.122.6.168
2024-08-29T12:02:51.307595+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49714	80	192.168.2.12	193.122.6.168
2024-08-29T12:02:59.756690+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49726	443	192.168.2.12	188.114.97.3
2024-08-29T12:02:50.601139+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49713	443	192.168.2.12	188.114.97.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:02:48.052588940 CEST	49711	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:48.057894945 CEST	80	49711	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:48.057976961 CEST	49711	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:48.058279037 CEST	49711	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:48.063173056 CEST	80	49711	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:48.688955069 CEST	80	49711	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:48.692909002 CEST	49711	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:48.697798967 CEST	80	49711	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:48.878734112 CEST	80	49711	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:48.927973032 CEST	49712	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:48.928005934 CEST	443	49712	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:48.928103924 CEST	49712	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:48.932595015 CEST	49711	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:48.944508076 CEST	49712	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:48.944526911 CEST	443	49712	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:49.428215981 CEST	443	49712	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:49.428369999 CEST	49712	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:49.432329893 CEST	49712	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:49.432343960 CEST	443	49712	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:49.432718992 CEST	443	49712	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:49.479495049 CEST	49712	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:49.504528999 CEST	49712	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:49.552496910 CEST	443	49712	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:49.614602089 CEST	443	49712	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:49.614686966 CEST	443	49712	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:49.614763975 CEST	49712	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:49.621176958 CEST	49712	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:49.624428988 CEST	49711	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:49.629384041 CEST	80	49711	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:49.813554049 CEST	80	49711	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:49.815965891 CEST	49713	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:49.816025972 CEST	443	49713	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:49.816124916 CEST	49713	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:49.816466093 CEST	49713	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:49.816493988 CEST	443	49713	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:49.854491949 CEST	49711	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:50.272708893 CEST	443	49713	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:50.275229931 CEST	49713	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:50.275255919 CEST	443	49713	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:50.601114035 CEST	443	49713	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:50.601217985 CEST	443	49713	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:50.601284027 CEST	49713	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:50.601799965 CEST	49713	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:50.605084896 CEST	49711	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:50.606180906 CEST	49714	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:50.610471010 CEST	80	49711	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:50.610539913 CEST	49711	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:50.610981941 CEST	80	49714	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:50.611051083 CEST	49714	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:50.611121893 CEST	49714	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:50.616677046 CEST	80	49714	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:51.266522884 CEST	80	49714	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:51.267936945 CEST	49715	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:51.267975092 CEST	443	49715	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:51.268073082 CEST	49715	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:51.268337011 CEST	49715	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:51.268361092 CEST	443	49715	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:51.307595015 CEST	49714	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:51.747037888 CEST	443	49715	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:51.748924971 CEST	49715	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:51.748960018 CEST	443	49715	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:51.899684906 CEST	443	49715	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:51.899797916 CEST	443	49715	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:51.899851084 CEST	49715	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:51.900295973 CEST	49715	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:51.904984951 CEST	49716	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:51.910031080 CEST	80	49716	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:51.910229921 CEST	49716	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:51.910367012 CEST	49716	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:51.915235043 CEST	80	49716	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:53.034179926 CEST	80	49716	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:53.035618067 CEST	49717	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:53.035664082 CEST	443	49717	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:53.035757065 CEST	49717	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:53.036034107 CEST	49717	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:53.036050081 CEST	443	49717	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:53.088875055 CEST	49716	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:53.488631964 CEST	443	49717	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:53.490777969 CEST	49717	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:53.490814924 CEST	443	49717	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:53.621119022 CEST	443	49717	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:53.621218920 CEST	443	49717	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:53.621279955 CEST	49717	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:53.621752977 CEST	49717	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:53.625233889 CEST	49716	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:53.626318932 CEST	49718	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:53.630290031 CEST	80	49716	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:53.630381107 CEST	49716	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:53.631166935 CEST	80	49718	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:53.631225109 CEST	49718	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:53.631305933 CEST	49718	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:53.638359070 CEST	80	49718	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:54.784492016 CEST	80	49718	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:54.786045074 CEST	49719	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:54.786089897 CEST	443	49719	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:54.786195993 CEST	49719	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:54.786472082 CEST	49719	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:54.786488056 CEST	443	49719	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:54.838886976 CEST	49718	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:55.245644093 CEST	443	49719	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:55.247364044 CEST	49719	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:55.247389078 CEST	443	49719	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:55.381707907 CEST	443	49719	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:55.381835938 CEST	443	49719	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:55.381907940 CEST	49719	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:55.382865906 CEST	49719	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:55.386285067 CEST	49718	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:55.387455940 CEST	49720	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:55.391501904 CEST	80	49718	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:55.391587019 CEST	49718	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:55.392302990 CEST	80	49720	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:55.392388105 CEST	49720	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:55.392509937 CEST	49720	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:55.398046017 CEST	80	49720	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:56.448390007 CEST	80	49720	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:56.449847937 CEST	49722	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:56.449914932 CEST	443	49722	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:56.449992895 CEST	49722	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:56.450298071 CEST	49722	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:56.450330973 CEST	443	49722	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:56.495157003 CEST	49720	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:56.928852081 CEST	443	49722	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:56.930639029 CEST	49722	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:56.930707932 CEST	443	49722	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:57.056986094 CEST	443	49722	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:57.057073116 CEST	443	49722	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:57.057138920 CEST	49722	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:57.057876110 CEST	49722	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:57.061455965 CEST	49720	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:57.062766075 CEST	49723	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:57.066606998 CEST	80	49720	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:57.066734076 CEST	49720	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:57.067570925 CEST	80	49723	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:57.067651033 CEST	49723	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:57.067789078 CEST	49723	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:57.072525978 CEST	80	49723	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:57.709995031 CEST	80	49723	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:57.711570024 CEST	49724	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:57.711613894 CEST	443	49724	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:57.711684942 CEST	49724	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:57.711925030 CEST	49724	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:57.711937904 CEST	443	49724	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:57.760741949 CEST	49723	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:58.174885988 CEST	443	49724	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:58.176711082 CEST	49724	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:58.176737070 CEST	443	49724	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:58.305331945 CEST	443	49724	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:58.305458069 CEST	443	49724	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:58.305507898 CEST	49724	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:58.306010008 CEST	49724	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:58.309732914 CEST	49723	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:58.311012030 CEST	49725	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:58.315102100 CEST	80	49723	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:58.315182924 CEST	49723	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:58.315788984 CEST	80	49725	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:58.315870047 CEST	49725	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:58.316023111 CEST	49725	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:58.322469950 CEST	80	49725	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:59.156929016 CEST	80	49725	193.122.6.168	192.168.2.12
Aug 29, 2024 12:02:59.158521891 CEST	49726	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:59.158585072 CEST	443	49726	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:59.158770084 CEST	49726	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:59.158994913 CEST	49726	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:59.159015894 CEST	443	49726	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:59.198293924 CEST	49725	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:02:59.616931915 CEST	443	49726	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:59.619013071 CEST	49726	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:59.619031906 CEST	443	49726	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:59.756700993 CEST	443	49726	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:59.756795883 CEST	443	49726	188.114.97.3	192.168.2.12
Aug 29, 2024 12:02:59.756851912 CEST	49726	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:02:59.757426977 CEST	49726	443	192.168.2.12	188.114.97.3
Aug 29, 2024 12:03:56.267182112 CEST	80	49714	193.122.6.168	192.168.2.12
Aug 29, 2024 12:03:56.267241001 CEST	49714	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:04:04.157393932 CEST	80	49725	193.122.6.168	192.168.2.12
Aug 29, 2024 12:04:04.157454014 CEST	49725	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:04:39.167150021 CEST	49725	80	192.168.2.12	193.122.6.168
Aug 29, 2024 12:04:39.172257900 CEST	80	49725	193.122.6.168	192.168.2.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:02:48.038615942 CEST	61249	53	192.168.2.12	1.1.1.1
Aug 29, 2024 12:02:48.046637058 CEST	53	61249	1.1.1.1	192.168.2.12
Aug 29, 2024 12:02:48.919070005 CEST	62031	53	192.168.2.12	1.1.1.1
Aug 29, 2024 12:02:48.927376032 CEST	53	62031	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 12:02:48.038615942 CEST	192.168.2.12	1.1.1.1	0xb789	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:02:48.919070005 CEST	192.168.2.12	1.1.1.1	0x6c9b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 12:02:48.046637058 CEST	1.1.1.1	192.168.2.12	0xb789	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:02:48.046637058 CEST	1.1.1.1	192.168.2.12	0xb789	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:02:48.046637058 CEST	1.1.1.1	192.168.2.12	0xb789	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:02:48.046637058 CEST	1.1.1.1	192.168.2.12	0xb789	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:02:48.046637058 CEST	1.1.1.1	192.168.2.12	0xb789	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:02:48.046637058 CEST	1.1.1.1	192.168.2.12	0xb789	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:02:48.927376032 CEST	1.1.1.1	192.168.2.12	0x6c9b	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:02:48.927376032 CEST	1.1.1.1	192.168.2.12	0x6c9b	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49711	193.122.6.168	80	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:02:48.058279037 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:02:48.688955069 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:48 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a6d2cde6d63508539d89046fdd089a3d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Aug 29, 2024 12:02:48.692909002 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 29, 2024 12:02:48.878734112 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:48 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8c5efaec98f3a9583bc272c377fd69bf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Aug 29, 2024 12:02:49.624428988 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 29, 2024 12:02:49.813554049 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:49 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b926183a969d9323270bde103edf835d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49714	193.122.6.168	80	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:02:50.611121893 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 29, 2024 12:02:51.266522884 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:51 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f204f03e19d4d8838a92b39ec37d699e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49716	193.122.6.168	80	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:02:51.910367012 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:02:53.034179926 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:52 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e52270d8a521f4858c1a04e5fd959987 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49718	193.122.6.168	80	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:02:53.631305933 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:02:54.784492016 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:54 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 981dfefb13a024b9174399504f754ec0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.12	49720	193.122.6.168	80	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:02:55.392509937 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:02:56.448390007 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6fa44d6c3367aed735ff8dbe9f60f086 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.12	49723	193.122.6.168	80	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:02:57.067789078 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:02:57.709995031 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:57 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b73f86f46089b19d0a178017273e8228 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.12	49725	193.122.6.168	80	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:02:58.316023111 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:02:59.156929016 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:59 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1a9e10936e059d629c214fdf81fcea9f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49712	188.114.97.3	443	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:02:49 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:02:49 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:49 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24352 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dvIlYXDYd1AWR5ICZ0Iks2MvWHCtHMmoD4YLD29ZHHsN4AlQKvspfIm5AoXPzduAp6%2BIMsJ7XNNeQLtsojDiPW%2BTosL3vz8G%2FqjSy9flQpqz9Q7XqufAIiBwrbHIaDUW9BetbZvQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babb52bb8fd8c36-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:02:49 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:02:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49713	188.114.97.3	443	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:02:50 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-29 10:02:50 UTC	712	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:50 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24353 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sWzHpf1eMCaRRXEcJjHpwExbD1RzkE2HeSgRvg9edtf%2BcNfp3mDTlnvjLPki%2BKe7GW6NLZZRU4MLj1DpPHw%2B0%2FY%2Fqv3Og6u%2BKJgTdM4xGaiUhD7gn0i7ATMMaCBojPf6PJmBNvKp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babb531ec797c8e-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:02:50 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:02:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49715	188.114.97.3	443	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:02:51 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:02:51 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:51 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24354 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j5qppj8N55cSBjuurkXB6T3daN%2BwC6d6dslSfuukn%2FHH2zXUnu8y7gJSCzAUI21s82wIBvr3rPOI%2BTnyZ3pcemkTUa%2BWjytB8OBmsANmndeVXe4g0wwdcMylR8X11hun6uRtpnYI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babb539fdb972aa-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:02:51 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:02:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49717	188.114.97.3	443	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:02:53 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:02:53 UTC	712	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:53 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24356 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ON%2Fv27FjVGCzIuFKGcz6W%2BQDLf6dsrFRWhuQBrpS1YuEr1RM2q2DiDCuy2%2BFrInnT9taVlysSJ01hBHyEWKdZIA7JDOsX7X27W%2FlmLE9Da5vO%2B0A2HjmeRmeXWGL%2B145MX0TCbKA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babb544b8a7c466-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:02:53 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:02:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.12	49719	188.114.97.3	443	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:02:55 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:02:55 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:55 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24358 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rvEU6BO6qgoxbMOJrE66d3TD90gtz17VTKBGxEwe3defvw7Nt%2BdHYNqrPILwCRzWGz0t7Jw7oRhDx9yh5B07r8r0rZiXyFiPUIzfOnwwjSWka4sakGIHnGo%2BmQtdb%2B8KcMu3VgVw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babb54fc97e72b3-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:02:55 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:02:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.12	49722	188.114.97.3	443	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:02:56 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:02:57 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24360 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OcvjAGdUGGl2ik592VRWblODaCecKbv6tMfhW899aXPwUk%2F1Hm7mhMsAA9anMI65A8jLx6V8foesdLcobSSk64OjyGrJ%2B3SlEeQ2Lzdu1scBacf8yEw7li9kEHcjm1j3Qoyd3rFN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babb55a3b2a80d0-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:02:57 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:02:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.12	49724	188.114.97.3	443	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:02:58 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:02:58 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:58 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24361 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uLPzU9FwTPobRIx5eeWDyRn2rgINaHUooygjHLT2uJCWyMZLHFtPLSITu19Zw9vkeEgbk3%2Fo2YHxpqW%2FcEtLfugizY7QtrlrTodImR%2FccFinKJmIA97HTmanOFz3BoteDofWeD1T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babb562090542e3-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:02:58 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:02:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.12	49726	188.114.97.3	443	6408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:02:59 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-29 10:02:59 UTC	718	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:02:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24362 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T7jvrkjfXFwiTU1QE43oD%2FrYE%2BZV12cEX%2BubqH5E4%2BEiT3SN%2FVzndHUmEkqaWWZVOx%2B07hWTdImKR2W%2F7afJn9hv0Lq9%2FThAfkY%2BfIYTc56hWC6zjGuKJKFq7KgW6fPO9064UvmC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babb56b1fd5c343-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:02:59 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:02:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:02:44
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Offer 2024-30496.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Offer 2024-30496.exe"
Imagebase:	0x950000
File size:	73'400'320 bytes
MD5 hash:	AB64DB1F849B146E66310AE4533BAE41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:02:45
Start date:	29/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Offer 2024-30496.exe"
Imagebase:	0x8f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.5018441738.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3%
Total number of Nodes:	2000
Total number of Limit Nodes:	40

Executed Functions

Function 009542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0095430D

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

GetCurrentProcess.KERNEL32(?,009ECB64,00000000,?,?), ref: 00954422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00954429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00954454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00954466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00954474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0095447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009544A0

Strings

GetNativeSystemInfo, xrefs: 00954460
|O, xrefs: 009936F8
kernel32.dll, xrefs: 0095444F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 6896e344eeb3273f510924be525e1720a80c33930ee770a350959ac9e567df7c
Instruction ID: 3219491e4de0a28b236f723b36ddca7ae09ae898ed1ed5c34bf71610aaf99678
Opcode Fuzzy Hash: 6896e344eeb3273f510924be525e1720a80c33930ee770a350959ac9e567df7c
Instruction Fuzzy Hash: 04A1A56191E2C0CFCBB1CBEE78851B57FE76B76305B0458B9D4819FA21D2248A4BDB21

Function 009542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009550AA,?,?,00000000,00000000), ref: 009542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009550AA,?,?,00000000,00000000), ref: 009542C9
LoadResource.KERNEL32(?,00000000,?,?,009550AA,?,?,00000000,00000000,?,?,?,?,?,?,00954F20), ref: 009935BE
SizeofResource.KERNEL32(?,00000000,?,?,009550AA,?,?,00000000,00000000,?,?,?,?,?,?,00954F20), ref: 009935D3
LockResource.KERNEL32(009550AA,?,?,009550AA,?,?,00000000,00000000,?,?,?,?,?,?,00954F20,?), ref: 009935E6

Strings

SCRIPT, xrefs: 009542BF

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 410ae080ce43f5b90a34326f142cc04f58a114db19838c479993d8b7712c9b06
Instruction ID: 859bdd2cc9274e65680d39e4b80b3988812e1cb377d7a3031eb47cd3a674c562
Opcode Fuzzy Hash: 410ae080ce43f5b90a34326f142cc04f58a114db19838c479993d8b7712c9b06
Instruction Fuzzy Hash: 1311ACB0200301BFDB218B6ADC88F277BBDEBC5B56F148169B9628A250DB71DC069620

Function 00992BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00952B6B

Part of subcall function 00953A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A21418,?,00952E7F,?,?,?,00000000), ref: 00953A78

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00A12224), ref: 00992C10
ShellExecuteW.SHELL32(00000000,?,?,00A12224), ref: 00992C17

Strings

runas, xrefs: 00992C0B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 3f69111a77b231a421dd3eed94cddfc9e93cac0382dab5778888900a430e6c3f
Instruction ID: 657724056249d440f0762b02fcb100c3a4ea5e6669d457003c5320fbfc15f2d6
Opcode Fuzzy Hash: 3f69111a77b231a421dd3eed94cddfc9e93cac0382dab5778888900a430e6c3f
Instruction Fuzzy Hash: 3911E771608345AAC714FF75E851BBD77A8AFE2342F44483CF986420A2DF30894EC712

Function 009BDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00995222), ref: 009BDBCE
GetFileAttributesW.KERNELBASE(?), ref: 009BDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 009BDBEE
FindClose.KERNEL32(00000000), ref: 009BDBFA

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: cc5cefd24ae9586b6510a3a0e5f4bf7226f24d8e9c46beab56063db2c257826d
Instruction ID: 0ae733701aeb337cd6bd92596a19319d3fe2a19bb7b18aa72dccebe082dab7d3
Opcode Fuzzy Hash: cc5cefd24ae9586b6510a3a0e5f4bf7226f24d8e9c46beab56063db2c257826d
Instruction Fuzzy Hash: 98F02B708299109782206B7CEE4E8EA3B6C9E01334B104702F9F6C21F0FBF09D56D6D5

Function 0095D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0095D807
timeGetTime.WINMM ref: 0095DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0095DB28
TranslateMessage.USER32(?), ref: 0095DB7B
DispatchMessageW.USER32(?), ref: 0095DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0095DB9F
Sleep.KERNEL32(0000000A), ref: 0095DBB1

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 4a7bf59bcba63f74d7865923fa395fcdc0a1c74a420cf67ac608617adc276844
Instruction ID: 436b7e5be2dbad4b11e8a7e5daf4cfde6d5b1811fa99252f703e014e9a0ddebc
Opcode Fuzzy Hash: 4a7bf59bcba63f74d7865923fa395fcdc0a1c74a420cf67ac608617adc276844
Instruction Fuzzy Hash: 00421470609341DFD734CF29C894BAAB7E5BF86305F14892DF89587291D774E849CB82

Function 00952CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00952D07
RegisterClassExW.USER32(00000030), ref: 00952D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00952D42
InitCommonControlsEx.COMCTL32(?), ref: 00952D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00952D6F
LoadIconW.USER32(000000A9), ref: 00952D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00952D94

Strings

+, xrefs: 00952CF0
0, xrefs: 00952CE9
AutoIt v3 GUI, xrefs: 00952D23
TaskbarCreated, xrefs: 00952D37

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 58edf0f24ca58202e7a4e8096b78a8e139ecb0c07098605b467e39095ef50606
Instruction ID: 14eee6303cf03b2357b0dcb83f586d0f0797196e8f7c24648aecd16b3fa35fe2
Opcode Fuzzy Hash: 58edf0f24ca58202e7a4e8096b78a8e139ecb0c07098605b467e39095ef50606
Instruction Fuzzy Hash: 7221F7B5911348AFDB10DFE8EC89BEDBBB4FB08705F00412AF551AA2A0D7B10942DF91

Function 0099065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0099039A: CreateFileW.KERNELBASE(00000000,00000000,?,00990704,?,?,00000000,?,00990704,00000000,0000000C), ref: 009903B7

GetLastError.KERNEL32 ref: 0099076F
__dosmaperr.LIBCMT ref: 00990776
GetFileType.KERNELBASE(00000000), ref: 00990782
GetLastError.KERNEL32 ref: 0099078C
__dosmaperr.LIBCMT ref: 00990795
CloseHandle.KERNEL32(00000000), ref: 009907B5
CloseHandle.KERNEL32(?), ref: 009908FF
GetLastError.KERNEL32 ref: 00990931
__dosmaperr.LIBCMT ref: 00990938

Strings

H, xrefs: 009908BD

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1cab8e87ad30dfe5be61995c56fdb74ce8f905b3f22dbf59f345a9d2f5f0628b
Instruction ID: 524fbb7ff75753df1bf88541cff01c2d8c4d7216a52190167c577af2d1033f41
Opcode Fuzzy Hash: 1cab8e87ad30dfe5be61995c56fdb74ce8f905b3f22dbf59f345a9d2f5f0628b
Instruction Fuzzy Hash: 69A12732A141048FDF19EFACDC52BAE7BA4AB86320F144159F825AF392D7359C13CB91

Function 0095344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00953A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A21418,?,00952E7F,?,?,?,00000000), ref: 00953A78

Part of subcall function 00953357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00953379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0095356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0099318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009931CE
RegCloseKey.ADVAPI32(?), ref: 00993210
_wcslen.LIBCMT ref: 00993277
_wcslen.LIBCMT ref: 00993286

Strings

\Include\, xrefs: 00953527
Include, xrefs: 00993184, 009931C5
\, xrefs: 0099328C
Software\AutoIt v3\AutoIt, xrefs: 00953560

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 3389e627a4a4f278fa4d33128a2d190b0f48fd0f1cffdb3b7092a0a8c1ad8f44
Instruction ID: 20f9c5f70344c48f934d26b20048e22b38d721f061f1ec4c39d6e3169539a9af
Opcode Fuzzy Hash: 3389e627a4a4f278fa4d33128a2d190b0f48fd0f1cffdb3b7092a0a8c1ad8f44
Instruction Fuzzy Hash: 07718271404301AEC724DF6AEC91A6BBBE8FFD5740F40483DF9859B161EB349A4ACB51

Function 00952B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00952B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00952B9D
LoadIconW.USER32(00000063), ref: 00952BB3
LoadIconW.USER32(000000A4), ref: 00952BC5
LoadIconW.USER32(000000A2), ref: 00952BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00952BEF
RegisterClassExW.USER32(?), ref: 00952C40

Part of subcall function 00952CD4: GetSysColorBrush.USER32(0000000F), ref: 00952D07
Part of subcall function 00952CD4: RegisterClassExW.USER32(00000030), ref: 00952D31
Part of subcall function 00952CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00952D42
Part of subcall function 00952CD4: InitCommonControlsEx.COMCTL32(?), ref: 00952D5F
Part of subcall function 00952CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00952D6F
Part of subcall function 00952CD4: LoadIconW.USER32(000000A9), ref: 00952D85
Part of subcall function 00952CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00952D94

Strings

#, xrefs: 00952C16
AutoIt v3, xrefs: 00952C2F
0, xrefs: 00952C0F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 54d04b98be168cfa5d5765bdaf6ed79cc9932db1c075e81e6edcbbd377e52484
Instruction ID: eaceec00a6ea9e68bc18e6b44ca6b71149a4a0d8774948356a38ed8ed4fec225
Opcode Fuzzy Hash: 54d04b98be168cfa5d5765bdaf6ed79cc9932db1c075e81e6edcbbd377e52484
Instruction Fuzzy Hash: 6C2130B0D10354ABDB60DFD9EC89AA97FB5FB58B54F00003AE500AA660D7B10943DF90

Function 00953170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0095316A,?,?), ref: 009531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0095316A,?,?), ref: 00953204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00953227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0095316A,?,?), ref: 00953232
CreatePopupMenu.USER32 ref: 00953246
PostQuitMessage.USER32(00000000), ref: 00953267

Strings

TaskbarCreated, xrefs: 0095322D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c31520ef131ff3bb8415f56a78abdc1b2b4fcabd5e447afeec9b2b0f8e954f0a
Instruction ID: 982e39983810b49249a55613a9f1fd3d2b31396519bb96ab322ff0a463cd5044
Opcode Fuzzy Hash: c31520ef131ff3bb8415f56a78abdc1b2b4fcabd5e447afeec9b2b0f8e954f0a
Instruction Fuzzy Hash: 3F419630218600BBDF24EBBD9D4DB793B1DE745382F048535FD128A1A1CB758E4A97A1

Function 00988D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d1514f275db82b3378ca39fb2376403692b8f672e3dfc1fdf66d75ddb1d862
Instruction ID: b8d5c1897c46c6a9e0810b02e27c0c0d8cfe73cec4e3fee038c9c2186a99d8ae
Opcode Fuzzy Hash: 24d1514f275db82b3378ca39fb2376403692b8f672e3dfc1fdf66d75ddb1d862
Instruction Fuzzy Hash: 31C1D275A04249AFCB21FFECC841BBEBBB4AF49310F184159E954AB393C7349942CB61

Function 00BD25B0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00BD2681
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BD28A7

Memory Dump Source

Source File: 00000000.00000002.2557757782.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Offer 2024-30496.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
Instruction ID: 220c4a4d430a5ea769b569b5bcb7769a8ac9e67a23122f4b4b9fa6f1fcdb7fd5
Opcode Fuzzy Hash: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
Instruction Fuzzy Hash: F9A1F674E00249EBDB14CFA4C894BAEF7B5FF58304F20819AE505AB380E7759E81DB94

Function 00952C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00952C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00952CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00951CAD,?), ref: 00952CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00951CAD,?), ref: 00952CCF

Strings

AutoIt v3, xrefs: 00952C89, 00952C8E, 00952C8F
edit, xrefs: 00952CAC

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ddc016e0254ce53bf71ed45bc2c444d52a81bdc5cea93bfbc2312498575602d4
Instruction ID: 790ecccae7432c5bd2e3419e789707573da04bc4e6b50f0ec8a3e968e121518d
Opcode Fuzzy Hash: ddc016e0254ce53bf71ed45bc2c444d52a81bdc5cea93bfbc2312498575602d4
Instruction Fuzzy Hash: 36F03AB95413D47AEB71875BAC4CE772EBED7DAF50B01003AF900AA1A0C2710C43DAB0

Function 00BD23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BD22A0: Sleep.KERNELBASE(000001F4), ref: 00BD22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BD24A2

Strings

1OPF21UE9F1, xrefs: 00BD2505, 00BD2508

Memory Dump Source

Source File: 00000000.00000002.2557757782.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Offer 2024-30496.jbxd

Similarity

API ID: CreateFileSleep
String ID: 1OPF21UE9F1
API String ID: 2694422964-14044512
Opcode ID: 4e70cde4babf792b435691c3f86e646c3ad8922cf9e7fbe5f49468fbc891307c
Instruction ID: 1887cb10432b13f23d2e8c852f0ae2e01d7e6d8de41a2f93011ad313b2862810
Opcode Fuzzy Hash: 4e70cde4babf792b435691c3f86e646c3ad8922cf9e7fbe5f49468fbc891307c
Instruction Fuzzy Hash: 6A518331D14249EBEF10DBE4D855BEEFBB8AF58300F104199E608BB2C0E6791B45CBA5

Function 009C2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C2C05
DeleteFileW.KERNEL32(?), ref: 009C2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009C2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C2CC0

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 625aa3cdf7582807a83c857cc0e24d5b6bd5422f47674b7ac5a814e53795e229
Instruction ID: 0ac09d4ae798fa6b43d21e195fcd1382e5989fe8fe2ef60d353e542a16748285
Opcode Fuzzy Hash: 625aa3cdf7582807a83c857cc0e24d5b6bd5422f47674b7ac5a814e53795e229
Instruction Fuzzy Hash: 18B13D72D01119ABDF11DBA4CC85FDEBB7DEF89350F1040AAFA09E6181EA309E448F61

Function 00953B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00953B0F,SwapMouseButtons,00000004,?), ref: 00953B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00953B0F,SwapMouseButtons,00000004,?), ref: 00953B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00953B0F,SwapMouseButtons,00000004,?), ref: 00953B83

Strings

Control Panel\Mouse, xrefs: 00953B3E

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0ba3b3956eb2b5a85af3b133c1ee6ebb621e3e07c4d04e7c60f40e877bd6972d
Instruction ID: eeb031a5e5fded04b292cd482ea8dc9a4482ab655de4f82a097ae128404c4cd0
Opcode Fuzzy Hash: 0ba3b3956eb2b5a85af3b133c1ee6ebb621e3e07c4d04e7c60f40e877bd6972d
Instruction Fuzzy Hash: CA112AB5520218FFDB20CFA6DC84ABEB7BCEF05786B108959F805D7110D2319F45AB60

Function 00BD12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00BD1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00BD1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00BD1B13

Memory Dump Source

Source File: 00000000.00000002.2557757782.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Offer 2024-30496.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction ID: 1a91f14b482a0607d15473cb839c7346e129934a685e0a7b923bae9d4e808a35
Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction Fuzzy Hash: FE621C30A14658DBEB24CFA4C851BDEB376EF58300F1095AAD10DEB390E7799E81CB59

Function 0095DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009A32B7

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 1518bb7b9f8e12445f5e6df840a713134e6ba7e232cb355199b371cb5bd3475f
Instruction ID: 1ee8ab75df66759cd5a55bfcdfe8eee72427fd6d974868d4b71db099bcecc66d
Opcode Fuzzy Hash: 1518bb7b9f8e12445f5e6df840a713134e6ba7e232cb355199b371cb5bd3475f
Instruction Fuzzy Hash: A9C29A71E00214DFCB28CF99C880BADB7B5BF49311F248569ED15AB291D336EE46CB91

Function 00953923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009933A2

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00953A04

Strings

Line: , xrefs: 009933EB

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 426ed12ca5e45b924766bd72b335a65c52deddf18976a44e8f0f5597476271df
Instruction ID: 5946d901704da8f3a3183b287a5c1e8d0c7ccfa6027db74579fefdb66d32b979
Opcode Fuzzy Hash: 426ed12ca5e45b924766bd72b335a65c52deddf18976a44e8f0f5597476271df
Instruction Fuzzy Hash: CB3136B1408304ABC721EB25DC45BEFB3DCAF90751F00892AF99987191EB709A4EC7C2

Function 0096FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00970668

Part of subcall function 009732A4: RaiseException.KERNEL32(?,?,?,0097068A,?,00A21444,?,?,?,?,?,?,0097068A,00951129,00A18738,00951129), ref: 00973304

__CxxThrowException@8.LIBVCRUNTIME ref: 00970685

Strings

Unknown exception, xrefs: 00970692

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: e94e2094beaf5edae052ac2f1c7b8482512938a9143ab80f16af3d0fe0ca88ba
Instruction ID: 5e0d1facd7b77326407c02a6c4e210fd5c08d873854802cf7f0f7c2ca3cd4eeb
Opcode Fuzzy Hash: e94e2094beaf5edae052ac2f1c7b8482512938a9143ab80f16af3d0fe0ca88ba
Instruction Fuzzy Hash: 80F0C23690020DB7CB00B665E866E9E7B6C6EC0350B60C671B82C965D2EF71EA65C980

Function 009C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 009C302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 009C3044

Strings

aut, xrefs: 009C3038

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5cf26e11848f23724dc5e25c9a39c6f319294ab6046fdd77fff0137c76b3077c
Instruction ID: d80fd4da982593b65e52accf7aa96c7caec9c7f412651bff5e5b778bd0622177
Opcode Fuzzy Hash: 5cf26e11848f23724dc5e25c9a39c6f319294ab6046fdd77fff0137c76b3077c
Instruction Fuzzy Hash: 87D05BB150032477DA2097949C4DFC73A6CEB04751F0005517795D6195DAB0D985CAD0

Function 009D7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 009D82F5
TerminateProcess.KERNEL32(00000000), ref: 009D82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 009D84DD

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 4f4477a6dfc4035b90c72f917a3ba1e96c9313b458357a7abbc1116f180e23d7
Instruction ID: cb4a21c3a511c1084fa0a21a1d061835abddfd18303a213ef4561eba18b4a959
Opcode Fuzzy Hash: 4f4477a6dfc4035b90c72f917a3ba1e96c9313b458357a7abbc1116f180e23d7
Instruction Fuzzy Hash: 9D125A71A083419FC724DF28C484B6ABBE5FF89314F04895EE9998B352DB31ED45CB92

Function 00985AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8765d7d7204bc7cf23d484725fe09c3da3179f6db636a0ca6df684a03d2791
Instruction ID: 61719b6acb3c7fcbb91283f686a9c4a7aba8710b0cddfb7d6724338dda10e54b
Opcode Fuzzy Hash: 9e8765d7d7204bc7cf23d484725fe09c3da3179f6db636a0ca6df684a03d2791
Instruction Fuzzy Hash: 1051E175D006099FCF21BFA8C845FEEBBB8AF55310F160059F405AB392D7359909CB61

Function 009510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00951BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00951BF4
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00951BFC
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00951C07
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00951C12
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00951C1A
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00951C22

Part of subcall function 00951B4A: RegisterWindowMessageW.USER32(00000004,?,009512C4), ref: 00951BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0095136A
OleInitialize.OLE32 ref: 00951388
CloseHandle.KERNEL32(00000000,00000000), ref: 009924AB

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 1e2debb8d8f8cd07ab57b5de616ffce84dec5aea283941138d4b72c7899eaa25
Instruction ID: cdea7623b3aa0a2868894d2a82b76fb1e617c4297c4826ecd75ea8d336f3e1f4
Opcode Fuzzy Hash: 1e2debb8d8f8cd07ab57b5de616ffce84dec5aea283941138d4b72c7899eaa25
Instruction Fuzzy Hash: A971CCB49113448FC7A4EFBEAD956753AE1FBA834475482BAD84AC7362EB344407CF44

Function 009886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,009885CC,?,00A18CC8,0000000C), ref: 00988704
GetLastError.KERNEL32(?,009885CC,?,00A18CC8,0000000C), ref: 0098870E
__dosmaperr.LIBCMT ref: 00988739

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 648bec51828edc211ce1738bb2cfebd8fc3a7840fed77488cd00be9fc4fc63e9
Instruction ID: 1b5efde7887a0872002090293264898dbd198542728d1f624d3692fb68b533c9
Opcode Fuzzy Hash: 648bec51828edc211ce1738bb2cfebd8fc3a7840fed77488cd00be9fc4fc63e9
Instruction Fuzzy Hash: 69012B3760566056D634B2386849B7F675D4BC1774F79011AF8149B3D3EEA5DC828360

Function 009C2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,009C2CD4,?,?,?,00000004,00000001), ref: 009C2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009C2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009C3006
CloseHandle.KERNEL32(00000000,?,009C2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009C300D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 6829a654f0501c89b23338916fd17201f607619952e084ab61fd18f4bba150d2
Instruction ID: 754ba33d45c60a1e51d64814ee1f916ae27e3a170582c13d2d268fbfa88696f4
Opcode Fuzzy Hash: 6829a654f0501c89b23338916fd17201f607619952e084ab61fd18f4bba150d2
Instruction Fuzzy Hash: 00E0867269425077D2301755BC4DF8B3E1CDB86B71F104214FB59791D046A0290252A9

Function 00961310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009617F6

Strings

CALL, xrefs: 009617C6

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 04a164f9bdd35aa06d33522fc89c896acd89572e8e8dbd3a64a5840d97a5d2bc
Instruction ID: 509134047eb5104b2fe1c42df8cc64387e5f7a0beb279f8459127457208c4c50
Opcode Fuzzy Hash: 04a164f9bdd35aa06d33522fc89c896acd89572e8e8dbd3a64a5840d97a5d2bc
Instruction Fuzzy Hash: 88227B706083419FC714DF14C490B2ABBF5BF8A314F18896DF4968B3A2DB75E945CB92

Function 009C6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009C6F6B

Part of subcall function 00954ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 009C6F5A, 009C6F63

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 115a4bfb36cec44bf76241201877853f17ca47429288de9c2c8fbd0c97e0f78f
Instruction ID: c0a484dff2f79b278eb085ee9298b2840981c6dbeff0cf3f7a265e1352ef81fd
Opcode Fuzzy Hash: 115a4bfb36cec44bf76241201877853f17ca47429288de9c2c8fbd0c97e0f78f
Instruction Fuzzy Hash: 4FB182315082018FCB14EF65D891EAEF7E5AFD4310F04895DF896972A2EB30ED49CB92

Function 00952DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00992C8C

Part of subcall function 00953AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00953A97,?,?,00952E7F,?,?,?,00000000), ref: 00953AC2

Part of subcall function 00952DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00952DC4

Strings

X, xrefs: 00992C5A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 37e4e896e054b3417f088ff7fc61461f4b405996ccf87334d8e14ea06d3728f3
Instruction ID: c6489b65292763b624ee3c148cdc7944533b71276c5fcdf8136d308fb1900ee6
Opcode Fuzzy Hash: 37e4e896e054b3417f088ff7fc61461f4b405996ccf87334d8e14ea06d3728f3
Instruction Fuzzy Hash: 4921C671A102589FDF41DF95C8457EE7BFCAF89315F008059E805EB241EBB4598DCB61

Function 009C2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009C2587

Strings

EA06, xrefs: 009C25B9

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 7a357821cb26084f901f0658343682d892df63198f40cfccb7196f1636291117
Instruction ID: 561a74141e8ed5425cc4ee39833d5fc6c0ebfc9d6e3687a2ddf0a4b237aa6c0d
Opcode Fuzzy Hash: 7a357821cb26084f901f0658343682d892df63198f40cfccb7196f1636291117
Instruction Fuzzy Hash: E101B572D442587EDF18C7A8C856FEEBBF89F45305F04859EF156D2181E5B4E6088B60

Function 00953837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00953908

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a4652cb18a2e75e24089573189abea0396d733eb8d05915197e20aa12755e94e
Instruction ID: 29841ccc00bb7920ce3e91d9ef1c54551f59bac100fed558020638f26e24d3f9
Opcode Fuzzy Hash: a4652cb18a2e75e24089573189abea0396d733eb8d05915197e20aa12755e94e
Instruction Fuzzy Hash: 0731D2B0504300CFD761DF69D885BA7BBE8FF49749F00092EFA9987250E771AA49CB52

Function 00956D9E Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0096CF58,?,?,?), ref: 00956DBA
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0096CF58,?,?,?), ref: 00956DED

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 1c939564552b9c710759d40f129526ec072189169c9c8959784eec98471722e8
Instruction ID: 34c87a75aa87307d8f00cf73b14d7e0790823506d5d18d5a7b0aef415f0a7caf
Opcode Fuzzy Hash: 1c939564552b9c710759d40f129526ec072189169c9c8959784eec98471722e8
Instruction Fuzzy Hash: D901F7723052007FEB199769DC5BF6F7AADDBC5350F00003DB506DB1E1D9A19C004660

Function 0095B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0095BB4E

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: d49925a5756055b58ba2547c27c0961216f5eb8914366a95cc5dede3ffa9d8ec
Instruction ID: b2d4cd1d53a64283aa1a9ff0ee51f80583dde36272929264603832c7a4781c0d
Opcode Fuzzy Hash: d49925a5756055b58ba2547c27c0961216f5eb8914366a95cc5dede3ffa9d8ec
Instruction Fuzzy Hash: 3532EC34A00209EFDF20CF59C894BBEB7B9EF85305F148469EE15AB251C778AD46CB91

Function 00BD129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00BD1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00BD1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00BD1B13

Memory Dump Source

Source File: 00000000.00000002.2557757782.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Offer 2024-30496.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction ID: 7ad89324b8d6213c085654d7c590c8ee1cc584c719ba7da5d6bb4b0d1cd2c04e
Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction Fuzzy Hash: A512EE20E18658C6EB24DF64D8507DEB272EF68300F1094E9910DEB7A5E77A4F81CB5A

Function 00954ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00954E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00954EDD,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E9C
Part of subcall function 00954E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00954EAE
Part of subcall function 00954E90: FreeLibrary.KERNEL32(00000000,?,?,00954EDD,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954EFD

Part of subcall function 00954E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00993CDE,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E62
Part of subcall function 00954E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00954E74
Part of subcall function 00954E59: FreeLibrary.KERNEL32(00000000,?,?,00993CDE,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E87

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 6f06e98f3745ca26db32f595d9e9b57dea887123c6d0219f329f577aa6ac6f48
Instruction ID: cec00cdb0c6059665632829701678ef4a75a4db500e18d0fe5dd3ec86fe0a3a5
Opcode Fuzzy Hash: 6f06e98f3745ca26db32f595d9e9b57dea887123c6d0219f329f577aa6ac6f48
Instruction Fuzzy Hash: 2D11C831610205ABCF14EF69DC12FAD77A59F80716F10841DFD42A61C1EE749E499B50

Function 00988402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00988440

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b3a745b4aa7d007f240602832778dde61aeb300624e2bee5c63df0a9c6016350
Instruction ID: bdbcb5a168702e2f6f1caedaa655859b774169b27f7fb4ac39b73cc3dab322ea
Opcode Fuzzy Hash: b3a745b4aa7d007f240602832778dde61aeb300624e2bee5c63df0a9c6016350
Instruction Fuzzy Hash: 7911187690410AAFCF15DF58E941A9B7BF9EF48314F104069FC08AB312DB31DA11CBA5

Function 00985000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00984C7D: RtlAllocateHeap.NTDLL(00000008,00951129,00000000,?,00982E29,00000001,00000364,?,?,?,0097F2DE,00983863,00A21444,?,0096FDF5,?), ref: 00984CBE

_free.LIBCMT ref: 0098506C

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 731eddd7188424f12ad7c5b6c61e68427b2e9469851c0707bf9d4b1bc986d368
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 530149722047056BE3319F69D881A9AFBECFBC9370F26051DE188933C0EA30A805C7B4

Function 0097E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 2b40e42487ae2c3c335652b265098b95f227f1fda699197bad0acf73746f4390
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: B3F02833511A14E6C7313A698C05B5B339C9FD6330F108B55F829972D2DB74E80187A5

Function 00959CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00959CBD

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: a1aab6b1abdf35b971cbb30c4e90fbef234579797177db4f7ef5b95bc5723019
Instruction ID: 16c39bbf9033c502694d758cc880fe253cf9353573bee82de60fc5adb273fe10
Opcode Fuzzy Hash: a1aab6b1abdf35b971cbb30c4e90fbef234579797177db4f7ef5b95bc5723019
Instruction Fuzzy Hash: 85F0C8B3600700AED7159F29D806B67BB98EF84760F10852AFA1DCB1D1DB31E51487A0

Function 00984C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00951129,00000000,?,00982E29,00000001,00000364,?,?,?,0097F2DE,00983863,00A21444,?,0096FDF5,?), ref: 00984CBE

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 88031b0dca34e4b21cd8c81d0855057b1b35e1e89ad2e39f59675cf59b31bc35
Instruction ID: 80b13e8077e446588a42d131eb1b3000c9abbf0a9ad3083be5efc8e043a1b9fa
Opcode Fuzzy Hash: 88031b0dca34e4b21cd8c81d0855057b1b35e1e89ad2e39f59675cf59b31bc35
Instruction Fuzzy Hash: 94F0E93264622667DB217F629C05FDA778CBF817B0B148125F899AA381CB34DC0147E0

Function 00983820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d468137287497101d22d3a566c30db075eea29310d25d982af647099c2d79be7
Instruction ID: 918ad67fc3ad68ce68539ac850b86856fbd65af41cdf6a8e09c5b816a13a26ed
Opcode Fuzzy Hash: d468137287497101d22d3a566c30db075eea29310d25d982af647099c2d79be7
Instruction Fuzzy Hash: E0E0653220522457D63137669C06B9A365DAF82FB0F15C125BC59A6A91DB21DD0283E1

Function 00954F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954F6D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 82d4769dc995a0deb55130b0da215e7f2715bb6d237bb2ba386c13340f7f2da1
Instruction ID: 40ad9382c4223a2c556190cf052a8c3338d63c9c0cc614d2e20ca7a1fa07cd39
Opcode Fuzzy Hash: 82d4769dc995a0deb55130b0da215e7f2715bb6d237bb2ba386c13340f7f2da1
Instruction Fuzzy Hash: 37F03071105751CFDB74DF6AD490852B7F4AF1431E3208D7EE9DA86511C7319888DF50

Function 00952DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00952DC4

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 8b6e40bac8337941b5dfcc50253648cbeb2dcb26fba2bbe4b5ae7940bd836c83
Instruction ID: b3a83e98dec6beceed391bf00142c2a094a741145140c57459d1daa0673c350b
Opcode Fuzzy Hash: 8b6e40bac8337941b5dfcc50253648cbeb2dcb26fba2bbe4b5ae7940bd836c83
Instruction Fuzzy Hash: 01E0CD726041245BCB10D2589C06FEA77DDDFC8790F040071FD09D7248DA70ED848650

Function 009C2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009C26B5

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 6230721fd245f3b2dbae789bf7e37a9c689edc084acdbf6f6ce1083bde4808a6
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: D6E0D8B06097004FCF389B28A951BF677D89F49300F00045EF59F82212E5722841861E

Function 00952B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00953837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00953908

Part of subcall function 0095D730: GetInputState.USER32 ref: 0095D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00952B6B

Part of subcall function 009530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0095314E

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 159eb126fbdc42bb1d15d172ccc1ef01b2a8d6de28fbff04633d75e907d96814
Instruction ID: 67f46154b1b685535f8b2dd3cf348ed24e76e7f41f69a08de27028b09f86c7b3
Opcode Fuzzy Hash: 159eb126fbdc42bb1d15d172ccc1ef01b2a8d6de28fbff04633d75e907d96814
Instruction Fuzzy Hash: 6AE07D6230434403C608FB77AC527BDB7599BE2393F40543EF946831A3CF20494E8311

Function 0099039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00990704,?,?,00000000,?,00990704,00000000,0000000C), ref: 009903B7

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fb2236fb9665269b6859f7ab37be005b80865ca1902ee68ec32d4906f593f1e4
Instruction ID: ba1ef08790bd0060096af43c8d920847fd2925fe94b7b7e5554820ef46032c9f
Opcode Fuzzy Hash: fb2236fb9665269b6859f7ab37be005b80865ca1902ee68ec32d4906f593f1e4
Instruction Fuzzy Hash: E4D06C3205414DBBDF028F84DD46EDA3FAAFB48714F014000BE5856020C732E822AB91

Function 00951CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00951CBC

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 8791ef18c0397a8d8084ba7bf1cbd5f55fb7cf0da869af108643816b9eb4f9eb
Instruction ID: b62e207ba35bb17e96210265281595ad50202f7cd172cd28c2560516a3169b5a
Opcode Fuzzy Hash: 8791ef18c0397a8d8084ba7bf1cbd5f55fb7cf0da869af108643816b9eb4f9eb
Instruction Fuzzy Hash: 39C04C35284344AAE224C7C4AD4AF207755A358B04F048011F649595E387A11812A650

Function 0096FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0096FD1F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 26827d9898252a76eb7829e20ddf4ca26f47f3413ad156cc35110d6601f0972f
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1E31E275A00109DBCB18CF59E4A0969FBAAFF49300B2486A5E849CF696D735EDC1DBC0

Function 00BD22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00BD22B1

Memory Dump Source

Source File: 00000000.00000002.2557757782.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Offer 2024-30496.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: b60e0babcc1cb4ed15db6e4c416fb51c2bc5fc7b231ea9c0f9cac4adf2c07f18
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 76E0BF7494010E9FDB00EFA4D54969E7BB4EF04301F1001A1FD0192280D63099509A72

Non-executed Functions

Function 009E9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 009E961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009E965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 009E969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009E96C9
SendMessageW.USER32 ref: 009E96F2
GetKeyState.USER32(00000011), ref: 009E978B
GetKeyState.USER32(00000009), ref: 009E9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009E97AE
GetKeyState.USER32(00000010), ref: 009E97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009E97E9
SendMessageW.USER32 ref: 009E9810
SendMessageW.USER32(?,00001030,?,009E7E95), ref: 009E9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 009E992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009E9941
SetCapture.USER32(?), ref: 009E994A
ClientToScreen.USER32(?,?), ref: 009E99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009E99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009E99D6
ReleaseCapture.USER32 ref: 009E99E1
GetCursorPos.USER32(?), ref: 009E9A19
ScreenToClient.USER32(?,?), ref: 009E9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 009E9A80
SendMessageW.USER32 ref: 009E9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 009E9AEB
SendMessageW.USER32 ref: 009E9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009E9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 009E9B4A
GetCursorPos.USER32(?), ref: 009E9B68
ScreenToClient.USER32(?,?), ref: 009E9B75
GetParent.USER32(?), ref: 009E9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 009E9BFA
SendMessageW.USER32 ref: 009E9C2B
ClientToScreen.USER32(?,?), ref: 009E9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009E9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 009E9CDE
SendMessageW.USER32 ref: 009E9D01
ClientToScreen.USER32(?,?), ref: 009E9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009E9D82

Part of subcall function 00969944: GetWindowLongW.USER32(?,000000EB), ref: 00969952

GetWindowLongW.USER32(?,000000F0), ref: 009E9E05

Strings

F, xrefs: 009E9D07
@GUI_DRAGID, xrefs: 009E997D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: d0bd0d4ba6abc5044d5e0b219397578b4f6ddc632c38fceff5ca71c050fcf6fc
Instruction ID: 72b4a4d6525a9b64722fe22931647ae119c1b4cb4af72c37543107c7d09d142b
Opcode Fuzzy Hash: d0bd0d4ba6abc5044d5e0b219397578b4f6ddc632c38fceff5ca71c050fcf6fc
Instruction Fuzzy Hash: 7A429070108281AFD722CF6ACC84BAABBF9FF49714F14061AF999872A1D731DC55DB41

Function 009E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009E48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 009E4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 009E4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 009E494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 009E495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 009E497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009E49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009E49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 009E4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009E4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009E4A7E
IsMenu.USER32(?), ref: 009E4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009E4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009E4B20
GetWindowLongW.USER32(?,000000F0), ref: 009E4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 009E4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 009E4C82
wsprintfW.USER32 ref: 009E4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009E4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 009E4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009E4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009E4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 009E4D5A

Strings

%d/%02d/%02d, xrefs: 009E4CA8

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: d5969e61e685134a5f61da3e9956f04458d45cb663efe4980f7df3a4cab6cd09
Instruction ID: 57f4984f47c6302e78b4b507b1ccf0131fa420dfe9db59eb7ec42ed5c1bc523b
Opcode Fuzzy Hash: d5969e61e685134a5f61da3e9956f04458d45cb663efe4980f7df3a4cab6cd09
Instruction Fuzzy Hash: 6E12F071900284ABEB268F26CC49FAE7BF8EF85B10F104529F915EB2E1DB749D41CB50

Function 0096F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0096F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009AF474
IsIconic.USER32(00000000), ref: 009AF47D
ShowWindow.USER32(00000000,00000009), ref: 009AF48A
SetForegroundWindow.USER32(00000000), ref: 009AF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009AF4AA
GetCurrentThreadId.KERNEL32 ref: 009AF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009AF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 009AF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 009AF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 009AF4DE
SetForegroundWindow.USER32(00000000), ref: 009AF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 009AF4F6
keybd_event.USER32(00000012,00000000), ref: 009AF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 009AF50B
keybd_event.USER32(00000012,00000000), ref: 009AF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 009AF519
keybd_event.USER32(00000012,00000000), ref: 009AF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 009AF528
keybd_event.USER32(00000012,00000000), ref: 009AF52D
SetForegroundWindow.USER32(00000000), ref: 009AF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 009AF557

Strings

Shell_TrayWnd, xrefs: 009AF46F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 95e19789217cc71a65f4be379ba72dc68c411a4d35dc70a55754888f8eccaab3
Instruction ID: 0cc05e871f74d3dd1b15ef92ec2fcda21953c31757d74ba6b6a3612a0809833e
Opcode Fuzzy Hash: 95e19789217cc71a65f4be379ba72dc68c411a4d35dc70a55754888f8eccaab3
Instruction Fuzzy Hash: D131A6B1A54358BFEB206BF55C8AFBF7E6DEB45B50F100425FA00EA1D1C6B15D01BAA0

Function 009B1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B170D
Part of subcall function 009B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B173A
Part of subcall function 009B16C3: GetLastError.KERNEL32 ref: 009B174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 009B1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009B12A8
CloseHandle.KERNEL32(?), ref: 009B12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009B12D1
GetProcessWindowStation.USER32 ref: 009B12EA
SetProcessWindowStation.USER32(00000000), ref: 009B12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009B1310

Part of subcall function 009B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009B11FC), ref: 009B10D4
Part of subcall function 009B10BF: CloseHandle.KERNEL32(?,?,009B11FC), ref: 009B10E9

Strings

, xrefs: 009B125A
default, xrefs: 009B130B
winsta0, xrefs: 009B12CC

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: d5ed7d86973faf8dd24e28ceb53eee40b3965061bad3584464a1ee5966212d37
Instruction ID: 2e474adf83358a17ada1c8813b841d1bb91020f26dcd78e944306aacd96e5503
Opcode Fuzzy Hash: d5ed7d86973faf8dd24e28ceb53eee40b3965061bad3584464a1ee5966212d37
Instruction Fuzzy Hash: 5481ACB1900249AFDF219FA4DE99FEE7BBEEF44710F144129F910A61A0CB318D45CB24

Function 009B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B1114
Part of subcall function 009B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1120
Part of subcall function 009B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B112F
Part of subcall function 009B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1136
Part of subcall function 009B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009B0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009B0C00
GetLengthSid.ADVAPI32(?), ref: 009B0C17
GetAce.ADVAPI32(?,00000000,?), ref: 009B0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009B0C6D
GetLengthSid.ADVAPI32(?), ref: 009B0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 009B0C8C
HeapAlloc.KERNEL32(00000000), ref: 009B0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009B0CB4
CopySid.ADVAPI32(00000000), ref: 009B0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009B0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009B0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009B0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0D45
HeapFree.KERNEL32(00000000), ref: 009B0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0D55
HeapFree.KERNEL32(00000000), ref: 009B0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0D65
HeapFree.KERNEL32(00000000), ref: 009B0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 009B0D78
HeapFree.KERNEL32(00000000), ref: 009B0D7F

Part of subcall function 009B1193: GetProcessHeap.KERNEL32(00000008,009B0BB1,?,00000000,?,009B0BB1,?), ref: 009B11A1
Part of subcall function 009B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,009B0BB1,?), ref: 009B11A8
Part of subcall function 009B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009B0BB1,?), ref: 009B11B7

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9e0111c89a7e134751b44924d322315abc0111f6a3596f5897eee86e5b26c242
Instruction ID: f02c9135fe8d42c278483c22118c26a37152b8a3e1634ab30beed5afeba5fbf6
Opcode Fuzzy Hash: 9e0111c89a7e134751b44924d322315abc0111f6a3596f5897eee86e5b26c242
Instruction Fuzzy Hash: 73716CB290420AABDF10DFA4DD85BEFBBBCBF84320F044515E955AB191D771AE06CB60

Function 009CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(009ECC08), ref: 009CEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 009CEB37
GetClipboardData.USER32(0000000D), ref: 009CEB43
CloseClipboard.USER32 ref: 009CEB4F
GlobalLock.KERNEL32(00000000), ref: 009CEB87
CloseClipboard.USER32 ref: 009CEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 009CEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 009CEBC9
GetClipboardData.USER32(00000001), ref: 009CEBD1
GlobalLock.KERNEL32(00000000), ref: 009CEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 009CEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 009CEC38
GetClipboardData.USER32(0000000F), ref: 009CEC44
GlobalLock.KERNEL32(00000000), ref: 009CEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 009CEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009CEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009CECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 009CECF3
CountClipboardFormats.USER32 ref: 009CED14
CloseClipboard.USER32 ref: 009CED59

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 23d481178783c60e488a74d305204402290cad8eed681be6cd0b5345a3b636eb
Instruction ID: a70bcf351060bbd48ea1c9deff6cfe8c31d2d55bb8451efd3b53d391e10d2560
Opcode Fuzzy Hash: 23d481178783c60e488a74d305204402290cad8eed681be6cd0b5345a3b636eb
Instruction Fuzzy Hash: A161BC746083429FD300EF25D885F3A7BA8AF84714F14451DF9978B2A2DB31DD0ADB62

Function 009C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009C69BE
FindClose.KERNEL32(00000000), ref: 009C6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009C6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009C6A75

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 009C6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 009C6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 009C6B32
%02d, xrefs: 009C6C00, 009C6C0A, 009C6C5A, 009C6CAA, 009C6CFA, 009C6D4A
%03d, xrefs: 009C6DA2
%4d, xrefs: 009C6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 009C6B6A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: ab25cbda11e80f54e552b56a4a14d081abf62723425501dbe88be260a8efe479
Instruction ID: c7b65033459ee4ecc8dfd225496478784be39d65a805c478d166b71bee41abb8
Opcode Fuzzy Hash: ab25cbda11e80f54e552b56a4a14d081abf62723425501dbe88be260a8efe479
Instruction Fuzzy Hash: B8D161B1908300AFC710EBA5D891FABB7ECAF88705F44491DF989C7191EB34DA48C762

Function 009C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76E18FB0,?,00000000), ref: 009C9663
GetFileAttributesW.KERNEL32(?), ref: 009C96A1
SetFileAttributesW.KERNEL32(?,?), ref: 009C96BB
FindNextFileW.KERNEL32(00000000,?), ref: 009C96D3
FindClose.KERNEL32(00000000), ref: 009C96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009C96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 009C974A
SetCurrentDirectoryW.KERNEL32(00A16B7C), ref: 009C9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 009C9772
FindClose.KERNEL32(00000000), ref: 009C977F
FindClose.KERNEL32(00000000), ref: 009C978F

Strings

*.*, xrefs: 009C96F5

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 147733c47061887bdf20600e17f322ed63412626f1a70cc0187968c875cafb1b
Instruction ID: 5f174c7dbad670490d4b972d117ed391b743d6ea27a62911b949bd6aa14eb9da
Opcode Fuzzy Hash: 147733c47061887bdf20600e17f322ed63412626f1a70cc0187968c875cafb1b
Instruction Fuzzy Hash: 5531E072945249AADF10AFB4DC4DFDE37ACAF49320F104459F964E21A0DB74DE818A25

Function 009C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76E18FB0,?,00000000), ref: 009C97BE
FindNextFileW.KERNEL32(00000000,?), ref: 009C9819
FindClose.KERNEL32(00000000), ref: 009C9824
FindFirstFileW.KERNEL32(*.*,?), ref: 009C9840
SetCurrentDirectoryW.KERNEL32(?), ref: 009C9890
SetCurrentDirectoryW.KERNEL32(00A16B7C), ref: 009C98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009C98B8
FindClose.KERNEL32(00000000), ref: 009C98C5
FindClose.KERNEL32(00000000), ref: 009C98D5

Part of subcall function 009BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009BDB00

Strings

*.*, xrefs: 009C983B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9aff9fffad979d6f4f4d61a79695cb4f4d9230fbbbda2a7ab1141a47b09c54be
Instruction ID: 147facd56bb74cfeaef5f8fb375bfb2e649c081b6a863f398750573a8bd1275e
Opcode Fuzzy Hash: 9aff9fffad979d6f4f4d61a79695cb4f4d9230fbbbda2a7ab1141a47b09c54be
Instruction Fuzzy Hash: B7310132944259BEDB10AFB4EC4CFDE37ACAF46320F108459E8A4E31D0DB71DE858A21

Function 009C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009C8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 009C8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009C8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009C8310
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8324
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009C838C
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8395

Strings

*.*, xrefs: 009C839B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: a046f13abf6bf88277dda7f82f765acfd683cc4229699d818c3a88fac26bb050
Instruction ID: 1d7a28c5c6c8f1f2b383f1e0d7c37b6fbdb1ce95ce48e8c563c6085b91b451a4
Opcode Fuzzy Hash: a046f13abf6bf88277dda7f82f765acfd683cc4229699d818c3a88fac26bb050
Instruction Fuzzy Hash: F56139B25083459FCB10DF64C844AAFB3E8FF89311F04891EF99997251EB35E949CB92

Function 009BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00953AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00953A97,?,?,00952E7F,?,?,?,00000000), ref: 00953AC2

Part of subcall function 009BE199: GetFileAttributesW.KERNEL32(?,009BCF95), ref: 009BE19A

FindFirstFileW.KERNEL32(?,?), ref: 009BD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 009BD1DD
MoveFileW.KERNEL32(?,?), ref: 009BD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 009BD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 009BD237

Part of subcall function 009BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,009BD21C,?,?), ref: 009BD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 009BD253
FindClose.KERNEL32(00000000), ref: 009BD264

Strings

\*.*, xrefs: 009BD0CD, 009BD0D6, 009BD0EB

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: eab15e12d18e3b713da459a0349aaa60f0924ea73a176f9a41b758d2d6fc6d6e
Instruction ID: d6f39ced702236a86c20df656747043e5444ab6cf18fdccc9ec92d1383032171
Opcode Fuzzy Hash: eab15e12d18e3b713da459a0349aaa60f0924ea73a176f9a41b758d2d6fc6d6e
Instruction Fuzzy Hash: 9D619E7180614DAFCF05EBE1DA92AEDB7B9AF94311F204165E81177192EB30AF09DB60

Function 009CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009CED91
EmptyClipboard.USER32 ref: 009CED97
GlobalAlloc.KERNEL32(00000002,?), ref: 009CEDAC
CloseClipboard.USER32 ref: 009CEEA3

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 323dba27faf97af8917cc160a626c455f7d34283fc5a77d532940fec541a1b2c
Instruction ID: 3b75ab2ffe66f1a330cd5cab34138450734bbb8263909b6970158e0770b04549
Opcode Fuzzy Hash: 323dba27faf97af8917cc160a626c455f7d34283fc5a77d532940fec541a1b2c
Instruction Fuzzy Hash: 8441CC75A08251AFE320DF15D888F1ABBA5EF44358F04C09DE8668F6A2C735ED42CB91

Function 009BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B170D
Part of subcall function 009B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B173A
Part of subcall function 009B16C3: GetLastError.KERNEL32 ref: 009B174A

ExitWindowsEx.USER32(?,00000000), ref: 009BE932

Strings

SeShutdownPrivilege, xrefs: 009BE902
, xrefs: 009BE95C
@, xrefs: 009BE925
, xrefs: 009BE920

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 00eabdfcef31fcb1de554848ff617360f4e26a690dc7e46d870333e829c4c6ae
Instruction ID: 5d51dbde85fa92ace37b00efadeb656c1f52f0be9f1b5d2d5a6ac5da7e85cc2c
Opcode Fuzzy Hash: 00eabdfcef31fcb1de554848ff617360f4e26a690dc7e46d870333e829c4c6ae
Instruction Fuzzy Hash: 55012673624310AFEB1826B49E86BFB729CA7047A0F140822F813E21D1D5A45C489190

Function 009D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009D1276
WSAGetLastError.WSOCK32 ref: 009D1283
bind.WSOCK32(00000000,?,00000010), ref: 009D12BA
WSAGetLastError.WSOCK32 ref: 009D12C5
closesocket.WSOCK32(00000000), ref: 009D12F4
listen.WSOCK32(00000000,00000005), ref: 009D1303
WSAGetLastError.WSOCK32 ref: 009D130D
closesocket.WSOCK32(00000000), ref: 009D133C

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 5b4dcd70a48c4edefed38cdc7030cf5f2c620ba1d5d7f54c37febe38528c203c
Instruction ID: 4255446aba42538867afd5dba26837085b2092c82c8d5ba1724151a163084530
Opcode Fuzzy Hash: 5b4dcd70a48c4edefed38cdc7030cf5f2c620ba1d5d7f54c37febe38528c203c
Instruction Fuzzy Hash: E241B171600240AFD714DF64C5C8B29BBE5AF86318F18C089E9668F392C771ED86CBE1

Function 0098B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0098B9D4
_free.LIBCMT ref: 0098B9F8
_free.LIBCMT ref: 0098BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009F3700), ref: 0098BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00A2121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0098BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00A21270,000000FF,?,0000003F,00000000,?), ref: 0098BC36
_free.LIBCMT ref: 0098BD4B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 0d157db58c9fce16d805d84c37d5cb9ecc6c5c1c318382e79d571b920e543ecf
Instruction ID: 774daa93403373498c607c41eb293fd3e73291d2f62366cf312afa457cc30f37
Opcode Fuzzy Hash: 0d157db58c9fce16d805d84c37d5cb9ecc6c5c1c318382e79d571b920e543ecf
Instruction Fuzzy Hash: 6FC1F472904205AFDB24FF69D851BAA7BECEF91310F1C41AAE494D7392E7309E42C750

Function 009BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00953AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00953A97,?,?,00952E7F,?,?,?,00000000), ref: 00953AC2

Part of subcall function 009BE199: GetFileAttributesW.KERNEL32(?,009BCF95), ref: 009BE19A

FindFirstFileW.KERNEL32(?,?), ref: 009BD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 009BD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 009BD481
FindClose.KERNEL32(00000000), ref: 009BD498
FindClose.KERNEL32(00000000), ref: 009BD4A1

Strings

\*.*, xrefs: 009BD3F2

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 3df858e5543ea6942c86e7ee2e966fd7758982922d29eb5b5153b3f88076e46f
Instruction ID: 8844b239f08c73649c8ca344f8d21123d5fbc399e04f64a5774b88cc8b496f06
Opcode Fuzzy Hash: 3df858e5543ea6942c86e7ee2e966fd7758982922d29eb5b5153b3f88076e46f
Instruction Fuzzy Hash: 60315C7101D3859FC200EF65D9929EFB7E8AE91351F444E2DF8D1931A1EB30AA0D9762

Function 0098E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0098E645

Strings

1#QNAN, xrefs: 0098F84B
1#INF, xrefs: 0098F852
1#IND, xrefs: 0098F83D
1#SNAN, xrefs: 0098F844

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: bea32cd20fb5865937895e9030f96fc09b65d1c8f68c387bfd426bef77678aa6
Instruction ID: cc7a2a8a13cfa456ee9f9695ded0cc1d61732fe537376a3e69a2532a81c980cb
Opcode Fuzzy Hash: bea32cd20fb5865937895e9030f96fc09b65d1c8f68c387bfd426bef77678aa6
Instruction Fuzzy Hash: 5BC23B72E086298FDB25DE28DD547EAB7B9EB84304F1445EAD44DE7340E778AE818F40

Function 009C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009C64DC
CoInitialize.OLE32(00000000), ref: 009C6639
CoCreateInstance.OLE32(009EFCF8,00000000,00000001,009EFB68,?), ref: 009C6650
CoUninitialize.OLE32 ref: 009C68D4

Strings

.lnk, xrefs: 009C64BA, 009C6524, 009C65E0

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 33e801aed698d47f35098628d04d4cd6ad2da6883170fd04ccfae1a20a90677b
Instruction ID: 912fc6fbb8c19138c7c333a490fe625e7bdffe7d3f398326ebcf08b6a1d4e132
Opcode Fuzzy Hash: 33e801aed698d47f35098628d04d4cd6ad2da6883170fd04ccfae1a20a90677b
Instruction Fuzzy Hash: 95D14871508241AFD304EF25C881E6BB7E9FFD4705F50496DF9958B291EB30EA09CB92

Function 009D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009D22E8

Part of subcall function 009CE4EC: GetWindowRect.USER32(?,?), ref: 009CE504

GetDesktopWindow.USER32 ref: 009D2312
GetWindowRect.USER32(00000000), ref: 009D2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 009D2355
GetCursorPos.USER32(?), ref: 009D2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009D23DF

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 5684d4b2c732b0327db26a40749949ebe72868079138498aff42bb6ae0af8fbf
Instruction ID: 2bcf67fae23403ebd6dbae60d501b4332b8a27dacfd1d14b9aeb5b772ab78d96
Opcode Fuzzy Hash: 5684d4b2c732b0327db26a40749949ebe72868079138498aff42bb6ae0af8fbf
Instruction Fuzzy Hash: C631CD72548355ABCB20DF14C849B9BBBADFF84710F00491AF9959B291DB34EA09CB92

Function 009C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 009C9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 009C9C8B

Part of subcall function 009C3874: GetInputState.USER32 ref: 009C38CB
Part of subcall function 009C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009C3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 009C9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 009C9C75

Strings

*.*, xrefs: 009C9B5D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: a8fa031260ac69d13fa4913c58712b59a6708ac26d744ec2e3a45fa1aec2bc5c
Instruction ID: b00425c404ec026174181606d4b95de003f96ff4ebd5a80c462705f04e7dde6d
Opcode Fuzzy Hash: a8fa031260ac69d13fa4913c58712b59a6708ac26d744ec2e3a45fa1aec2bc5c
Instruction Fuzzy Hash: 0E419E71D4420AAFCF14DF64C889FEEBBB8EF55310F208059E849A2191EB309E84CF61

Function 0096997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00969A4E
GetSysColor.USER32(0000000F), ref: 00969B23
SetBkColor.GDI32(?,00000000), ref: 00969B36

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: b4336a2a6dc17a8d0df9bc48fa71005fc21b33414989a225f3b4b90dff86e812
Instruction ID: a7459af0b61b75748f7f263885ab4688b4468d23e0897b2a80179a354668e7e9
Opcode Fuzzy Hash: b4336a2a6dc17a8d0df9bc48fa71005fc21b33414989a225f3b4b90dff86e812
Instruction Fuzzy Hash: 89A12870208444BEE725EBBD8C9AF7B76DDDB83340F15051AF502CA691CA399D02D6B2

Function 009D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009D307A
Part of subcall function 009D304E: _wcslen.LIBCMT ref: 009D309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009D185D
WSAGetLastError.WSOCK32 ref: 009D1884
bind.WSOCK32(00000000,?,00000010), ref: 009D18DB
WSAGetLastError.WSOCK32 ref: 009D18E6
closesocket.WSOCK32(00000000), ref: 009D1915

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: de5d105779896ddf39beb61c78fabe729062f7d74db4289bd8da6b64d1318a9e
Instruction ID: 9ef85ad87550ff03a45bffeb2e2979307f7f29571990e2ad59b72166c8ad2279
Opcode Fuzzy Hash: de5d105779896ddf39beb61c78fabe729062f7d74db4289bd8da6b64d1318a9e
Instruction Fuzzy Hash: 35519171A40200AFDB10EF24D886F2AB7E5AB84718F48C459FD559F393DB71AD42CBA1

Function 009E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009E1CC0
IsWindowEnabled.USER32 ref: 009E1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 009E1CDB
IsIconic.USER32 ref: 009E1CE9
IsZoomed.USER32 ref: 009E1CF7

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2c0461d95dc71c687404cfe1e7deb0d61e73ce32527114d9b01fc122d6459a1a
Instruction ID: 20e36692780ed953ae81b3949e9e18ca6acf144cf4a8d38662af22df2ea2f9eb
Opcode Fuzzy Hash: 2c0461d95dc71c687404cfe1e7deb0d61e73ce32527114d9b01fc122d6459a1a
Instruction Fuzzy Hash: F721A6717442915FD7228F1BC884B6A7BE9FF85315B298468E885CB391C771EC42CB90

Function 00958060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009583FA
ERCP, xrefs: 0095813C
VUUU, xrefs: 009583E8
VUUU, xrefs: 0095843C
VUUU, xrefs: 00995DF0

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 7b577ee7e8c8c42f95a9423097be49e3eab655f166d7a616d24f296b95e034e2
Instruction ID: b64c5c7ff57943835b9f5f0c26848ed01c23d0654c1accc01a42ee16d214ee9d
Opcode Fuzzy Hash: 7b577ee7e8c8c42f95a9423097be49e3eab655f166d7a616d24f296b95e034e2
Instruction Fuzzy Hash: C4A29B70E0021ACBDF24CF59C8807AEB7B5BF54311F2585AAEC55AB284EB349D85CF90

Function 009DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009DA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 009DA6BA

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Process32NextW.KERNEL32(00000000,?), ref: 009DA79C
CloseHandle.KERNEL32(00000000), ref: 009DA7AB

Part of subcall function 0096CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00993303,?), ref: 0096CE8A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: acbe72a691f8eff99414f9efd495af746eff1de8f5a6340b8d2b39ddfdd9707d
Instruction ID: 86181047e52b05461b1843d766b8d598b9d4af24e85bc6cfc3ec82cf3b963711
Opcode Fuzzy Hash: acbe72a691f8eff99414f9efd495af746eff1de8f5a6340b8d2b39ddfdd9707d
Instruction Fuzzy Hash: 8B5150B15083009FD710EF25D886A6BBBE8FFC9754F40891DF98597262EB30D908CB92

Function 009BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 009BAAAC
SetKeyboardState.USER32(00000080), ref: 009BAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 009BAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 009BAB88

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b8f75af111fdd4b0112a5025d41ea727013f36dadf3c8b63f59ee68701ddd406
Instruction ID: 18ce59ea2e9164c9878e2197ed888c2360f9f92b56afaf9b959183bc4ad6fc1a
Opcode Fuzzy Hash: b8f75af111fdd4b0112a5025d41ea727013f36dadf3c8b63f59ee68701ddd406
Instruction Fuzzy Hash: EE314870A50268AEFF34CB64CD05BFA7BAAAB44330F04421BF1E1961D0D3788D85D762

Function 009CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 009CCE89
GetLastError.KERNEL32(?,00000000), ref: 009CCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 009CCEFE

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 97884be992f30125f51b87be2e7f53a0518ac7cc17295953ce072b0a61bf6b60
Instruction ID: 1a61049f0f38d2b5ad5a102883d7dbce31a091332b940122c8932bbc188f2465
Opcode Fuzzy Hash: 97884be992f30125f51b87be2e7f53a0518ac7cc17295953ce072b0a61bf6b60
Instruction Fuzzy Hash: A621EDB1900305ABDB20CF65C988FAA7BFCEB41344F10881EE64AD2151E734EE059B51

Function 009B8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009B82AA

Strings

(, xrefs: 009B82F0
|, xrefs: 009B82DA

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: f9e6e292e97b116e61ae2f0a293332c6962a46154a7978d1a979d83da269d34e
Instruction ID: b4fe12e028cef473e45ad830e42fdcb6045b0d454c8c83e60c380b8b8e1c0528
Opcode Fuzzy Hash: f9e6e292e97b116e61ae2f0a293332c6962a46154a7978d1a979d83da269d34e
Instruction Fuzzy Hash: FC323675A00605DFCB28CF59C581AAAB7F4FF48720B15C56EE49ADB3A1EB70E941CB40

Function 009C5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009C5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 009C5D17
FindClose.KERNEL32(?), ref: 009C5D5F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 52414eb11ea0c6fb1a90d006702c50ef84eb2898957025c45d9a79b3680be84a
Instruction ID: 1dcb9bd9588f5a2a9f9417410a895776bef3b1b70ca1bce95598bdd6a1059e2b
Opcode Fuzzy Hash: 52414eb11ea0c6fb1a90d006702c50ef84eb2898957025c45d9a79b3680be84a
Instruction Fuzzy Hash: FE516674A047019FC714CF28C494E96B7E8BF49324F15855DE9AA8B3A2DB30FD45CB92

Function 00982622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0098271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00982724
UnhandledExceptionFilter.KERNEL32(?), ref: 00982731

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cd0b63fc9e72da9e90848e087c7e7eb9b36f50ba213b66c0e9c4a7a9955cef5c
Instruction ID: 25d086ba2495837bc4217624b119882eaff1cca3a12f51e6edd9b51649f72a9d
Opcode Fuzzy Hash: cd0b63fc9e72da9e90848e087c7e7eb9b36f50ba213b66c0e9c4a7a9955cef5c
Instruction Fuzzy Hash: 8931B375911318ABCB21DF68DD897DDBBB8AF48710F5081EAE81CA7261E7309F818F45

Function 009C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009C51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009C5238
SetErrorMode.KERNEL32(00000000), ref: 009C52A1

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f45befbcab4b28c1e8fc0fb1688f083c826cdefa751b58108fb4bc060d172dc6
Instruction ID: b33ccaab0f1bc9b87ad38cba80baa12a62f77a4244c51b6d0f2fab182741b547
Opcode Fuzzy Hash: f45befbcab4b28c1e8fc0fb1688f083c826cdefa751b58108fb4bc060d172dc6
Instruction Fuzzy Hash: 6F313A75A00618DFDB00DF94D884FADBBB4FF48314F058099E845AB362DB35E85ACB91

Function 009B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0096FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00970668
Part of subcall function 0096FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00970685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B173A
GetLastError.KERNEL32 ref: 009B174A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: be74baa132b452eea0cb0b72ce702443092ad005590d338fa75e1b3775648656
Instruction ID: f586d772ab09de9f1a91237e95412dcf2dd2ac0de305a293fb5d8cb2ea802257
Opcode Fuzzy Hash: be74baa132b452eea0cb0b72ce702443092ad005590d338fa75e1b3775648656
Instruction Fuzzy Hash: 3511E3B2414305AFD7189F54ECC6EABB7BDEB44724B20852EF05657281EB70FC428B60

Function 009BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009BD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 009BD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009BD650

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 368a8d4a790aa62a87c8104d606e422231223af7312ad3a211ce141c5973f6e8
Instruction ID: e13dad5c03c77bfee20124ec3e5c5244a8724db7fc4c39f6d731fcbdc693d170
Opcode Fuzzy Hash: 368a8d4a790aa62a87c8104d606e422231223af7312ad3a211ce141c5973f6e8
Instruction Fuzzy Hash: AF117CB1E05228BBDB108F949C84FEFBFBCEB45B60F108111F904E7290D2704A018BA1

Function 009B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 009B168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009B16A1
FreeSid.ADVAPI32(?), ref: 009B16B1

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b5fd90ec8014832ca60a1a2feeb019a73e7c4b6d215956aa3bcc4e919cba904f
Instruction ID: 504eedd41d76ac265328f044fbb9f42ec7b5b0375a8d5ad0d9096063d64b74a8
Opcode Fuzzy Hash: b5fd90ec8014832ca60a1a2feeb019a73e7c4b6d215956aa3bcc4e919cba904f
Instruction Fuzzy Hash: D0F0F4B1950309FBDF00DFE49D89AAEBBBCEB08605F504565E501E6181E774AA449A50

Function 00974CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009828E9,?,00974CBE,009828E9,00A188B8,0000000C,00974E15,009828E9,00000002,00000000,?,009828E9), ref: 00974D09
TerminateProcess.KERNEL32(00000000,?,00974CBE,009828E9,00A188B8,0000000C,00974E15,009828E9,00000002,00000000,?,009828E9), ref: 00974D10
ExitProcess.KERNEL32 ref: 00974D22

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 51909308866290b53ccc89c3521cc2fabd9356aebf86595a803315794008cb80
Instruction ID: 81714a3c4f62192d30106ca68d4f7a63b5406eb1e49cac10d1faa274141650d3
Opcode Fuzzy Hash: 51909308866290b53ccc89c3521cc2fabd9356aebf86595a803315794008cb80
Instruction Fuzzy Hash: 79E0B672014188AFCF21AF54DD5AA583B69EB81781B118014FC999E263DB35ED52DB80

Function 0098C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0098C36C

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 3fe682b85056681a36cd497db8fcc8a09c6711b78760c8def3b2a4ffd098ce89
Instruction ID: 7a5cdf3048ae9c218c3c5417ff729f3838e958caff45bf559d041c65a8db0657
Opcode Fuzzy Hash: 3fe682b85056681a36cd497db8fcc8a09c6711b78760c8def3b2a4ffd098ce89
Instruction Fuzzy Hash: 384129B2500219AFCB20AFB9DC49EBB777CEB84354F504269F915D7280E670DD818B60

Function 009AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 009AD28C

Strings

X64, xrefs: 009AD2A8

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 3a00d7356f50d1d1396d8b1afc01ae264771d507cb40ca12043c7704dfaafa87
Instruction ID: 1d02a49d64785e41255f9f1c2f747e428b6a5ed6272d859e287802f86caf8718
Opcode Fuzzy Hash: 3a00d7356f50d1d1396d8b1afc01ae264771d507cb40ca12043c7704dfaafa87
Instruction Fuzzy Hash: ABD0C9B481611DEACF90DB90DCC8DD9B37CBB04305F100551F506A2000D73495499F50

Function 0097CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 2a3e3a8fe29ae918bc43b47790ad41a20336ed06c68d3b64b909746b51d068a9
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: FA021DB2E001199FDF24CFA9C8806ADBBF5EF88314F25856DD919E7380D731AE418B94

Function 009C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009C6918
FindClose.KERNEL32(00000000), ref: 009C6961

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 775c7bbc8c937ec9bb28e5bd727ac64881df45e3078d77ff17e50582fb7b6cc8
Instruction ID: a970dbd92eade25528ae9a902611754bf38ad05e96d5b934499d44fc5227c256
Opcode Fuzzy Hash: 775c7bbc8c937ec9bb28e5bd727ac64881df45e3078d77ff17e50582fb7b6cc8
Instruction Fuzzy Hash: 3B117C71A142009FC710DF6AD885B16BBE5EF89329F14C69DE8698F2A2C730EC05CB91

Function 009C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,009D4891,?,?,00000035,?), ref: 009C37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,009D4891,?,?,00000035,?), ref: 009C37F4

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4ff964d23d3a6f4b14c06f38cbce1b927a3582bcd5cc6e25c774fcb5f32ffc46
Instruction ID: 9d50ad0d401a1c446e3a35bab905d37c43605033b838564819cf215712f1141e
Opcode Fuzzy Hash: 4ff964d23d3a6f4b14c06f38cbce1b927a3582bcd5cc6e25c774fcb5f32ffc46
Instruction Fuzzy Hash: 15F0ECB16043196AE71057668C4DFEB365EEFC5761F004165F509D2281D9609D04C7B1

Function 009BB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 009BB25D
keybd_event.USER32(?,76AAC0D0,?,00000000), ref: 009BB270

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 853c8c0a72a43675891e2e37e84af0422f723a402c2eb4bb9f11449d42384bd7
Instruction ID: 2cc06d150d43b86b70fad47049e6480da8c758cb9bfd49046083ce62c427909c
Opcode Fuzzy Hash: 853c8c0a72a43675891e2e37e84af0422f723a402c2eb4bb9f11449d42384bd7
Instruction Fuzzy Hash: 4DF01D7181428DABDB059FA1C805BEE7BB4FF04315F008409F965A9191C779D6119F94

Function 009B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009B11FC), ref: 009B10D4
CloseHandle.KERNEL32(?,?,009B11FC), ref: 009B10E9

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2f87273d3682f5413cdac9dbb6fe49245417cf1cabbb891bba54f7399859db6a
Instruction ID: 0f64de77e90fe30508aa698211aa2cf40b5c09e6ea1a0777ea58dbfeabcd84a6
Opcode Fuzzy Hash: 2f87273d3682f5413cdac9dbb6fe49245417cf1cabbb891bba54f7399859db6a
Instruction Fuzzy Hash: FAE04F72018600AEE7252B11FC05F737BADEB04320F10882EF4A5844B1DB626C90EB10

Function 0095CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 009A0C40

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: b622078e553f7af5ddda2598596f6f61161ab92c69f373f7711fc53b293684b7
Instruction ID: 39af28ff27029acbfe7254b68ffc5f70a9f69936bc8d2fecf98eb2236d76eacc
Opcode Fuzzy Hash: b622078e553f7af5ddda2598596f6f61161ab92c69f373f7711fc53b293684b7
Instruction Fuzzy Hash: 86327AB09003189FCF14DF95C885BEDB7B9BF85305F248459EC06AB292D775AE49CB60

Function 0098676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00986766,?,?,00000008,?,?,0098FEFE,00000000), ref: 00986998

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48ab1851aef3568f68c8e37f52544a3c4b9c118adb458ab4f1a4bd2a1464ddac
Instruction ID: 2bb04ee265b5b26e717a8568b5ea0adfea49c234894c128cf265cd18c2cf94c5
Opcode Fuzzy Hash: 48ab1851aef3568f68c8e37f52544a3c4b9c118adb458ab4f1a4bd2a1464ddac
Instruction Fuzzy Hash: 41B13A31610609DFD719DF28C48AB657BE0FF45364F258658E89ACF3A2C736E991CB40

Function 0096B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 009A851F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fbf2f4147e9f6c8c403bc2f503e27289b8feb6b0264ec3d123aacd23618f5150
Instruction ID: db6bf6da0f881d202701081602e4a315e00172200923fc0d6d7d6a344eb52d4c
Opcode Fuzzy Hash: fbf2f4147e9f6c8c403bc2f503e27289b8feb6b0264ec3d123aacd23618f5150
Instruction Fuzzy Hash: 661230719002299FDB14CF58C8807EEB7F5FF49710F14819AE849EB255EB349E81CB90

Function 009CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 009CEABD

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e464d515dec6cec28fb4ab23621ea49c1180122db7293349b5000e4a50ffc73a
Instruction ID: e09263689145c2bcb40e907678f98b9e2d9415550ef2c9db8d0ac68946af9176
Opcode Fuzzy Hash: e464d515dec6cec28fb4ab23621ea49c1180122db7293349b5000e4a50ffc73a
Instruction Fuzzy Hash: A2E01A752102049FC710EF6AD844E9AB7E9AF98760F00841AFC4ACB291DA70A8458B91

Function 009709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009703EE), ref: 009709DA

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8cc5d2634f85f80753af343b0bbf1de7ae55a1e32236db00ed9e861c5fb04cdd
Instruction ID: 0c3688862f74e0f2b0020909b79d01f97799eae263cdb8fb561baad70f3dceb5
Opcode Fuzzy Hash: 8cc5d2634f85f80753af343b0bbf1de7ae55a1e32236db00ed9e861c5fb04cdd
Instruction Fuzzy Hash:

Function 0097781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0097798B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 8415728957ff13f459aa341b8aa1ddd1bbfaa42a1c1d029692f5be0c6ad55429
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2251246360D705ABDB3885E8C89E7FEE39D9B82340F18C919D98ED7282C615DE01D397

Function 00986DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90aabb33b83efc9119c6d00f9504735d421c0f4739cabeb8f2de4c054113cbfb
Instruction ID: 8455fa4eec3ebc8349c972ba2fecc8002249810634199cf83d162fed61e64e52
Opcode Fuzzy Hash: 90aabb33b83efc9119c6d00f9504735d421c0f4739cabeb8f2de4c054113cbfb
Instruction Fuzzy Hash: 1C32E321D3DF014DD723A634D862335A649AFB73C5F25D737F82AB5AA5EB29C4839200

Function 0096CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e88e67fe02cc198a326b0d3ee156241c9aa08722007e52aa9eeed87819d1910
Instruction ID: 86676dca6fd5a1f798212d512d09aa7265f233c8cf835a66f241121a40f31cb9
Opcode Fuzzy Hash: 3e88e67fe02cc198a326b0d3ee156241c9aa08722007e52aa9eeed87819d1910
Instruction Fuzzy Hash: C83249F2A041058BDF24CF2CC4946BD77A9EF46314F298966E4DADF291D238DD81DB90

Function 00957920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381b9edba7893f22603580e571d5bacec1219df139c0a0ac0204648abb0694dc
Instruction ID: 8d7367d8d3eae76a1633b6fb5e6b6abd14818db38eeb94343da798bd6837d789
Opcode Fuzzy Hash: 381b9edba7893f22603580e571d5bacec1219df139c0a0ac0204648abb0694dc
Instruction Fuzzy Hash: E222C1B0A0460ADFDF14CFA9D881AAEF7B5FF44300F114529E816A7291EB3A9E55CB50

Function 009591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a8fb2e5fbbf5e977115c58a51295d6525fe3bd159df2a9b890af8e8d4794b2
Instruction ID: 6d94cae95cb9decb06d7f8c2f6dc73f3b3e04542bfe36c85ef44fba55b207705
Opcode Fuzzy Hash: 80a8fb2e5fbbf5e977115c58a51295d6525fe3bd159df2a9b890af8e8d4794b2
Instruction Fuzzy Hash: D202E7B1E00209EBDF04DF59D881BADBBB5FF44300F108569E8569B290EB35EE15CB91

Function 00971C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: d27ebe5f0793acf4693da80121f414e7c965682d5be1640e3c810269be559624
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 649187732080A34BDB2D463E857503EFFE55E923A131A879ED4FACA1C1FE24C954DA20

Function 009719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: dee935ad5c4851c8f1f8644f69a8a3242c1a4ee090688998ce9f86e41b8e7686
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3891B5732090A34BDB2D427E847503DFFE95A923A131E879ED4FACA1C5FE24C658D620

Function 00977A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fbb3aa8e4b9e637f4fb2ee4830aa6e2131af5e073dc7507728c6456bb43b96
Instruction ID: b050c125d3976f127da9406931bf504741f8505c9309949b3e87dfa907e3f8d7
Opcode Fuzzy Hash: 28fbb3aa8e4b9e637f4fb2ee4830aa6e2131af5e073dc7507728c6456bb43b96
Instruction Fuzzy Hash: C8618B3374870596EE3899E88C96BBFE39CEF81700F14CD19E88ECB281D5159E42C755

Function 00977CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8f5897f4371a536d9b944fb2f78976b1166cd34510b4632ff00822420fe631
Instruction ID: f940026c417a1fa2382a75512983d4bb3d4ae7d5ad12402edd167c03a525cad7
Opcode Fuzzy Hash: 4f8f5897f4371a536d9b944fb2f78976b1166cd34510b4632ff00822420fe631
Instruction Fuzzy Hash: 41618933348709A6DE384AE84855BBFE39CEF82704F10CD5AE94ECB2D1EA169D42C355

Function 00971706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 1bede7bf79cdc4fa8d90df90e949faa7b203ca94e2ce64423b9e37ad7557d864
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 278184336080A30BDB6D463E853507EFFE55A923A171A879ED4FACB1C1FE24C558E620

Function 00BD35D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557757782.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 910c9099c234820acb456ecfcc230bd10942ae6062f32a824f735659caa6d71f
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 2B41A271D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB50

Function 009C2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f93f1b04781bb4fcbd7705bbc9054b35801cd75836d2728ca22772f7004fcbc
Instruction ID: abcc80746b52f89e390b19bbd4b6b0956e87a9c24a26111c3c7d102f88e250d0
Opcode Fuzzy Hash: 4f93f1b04781bb4fcbd7705bbc9054b35801cd75836d2728ca22772f7004fcbc
Instruction Fuzzy Hash: 1621A5326206118BD728CF79C822B7A73E9A754710F15862EE4A7C77D1DE35A905CB80

Function 00BD3460 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557757782.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 7312eb44791890f8095286451430e9747ff0be4dd684d23fc4104890c83a7a19
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 48018078A01109EFCB48DF99C5909AEF7F5FB48710B2085DAE809A7701E734AE41DF91

Function 00BD34C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557757782.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 2cc44c4291a4ffd3a9521fd14d0be267c8b6dc85d89ac46819f875f3bb1a20d1
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 33018078A01109EFCB44DF98C5909AEF7F5FB48710B2085DAE809A7701E731AE41DB81

Function 00BD1E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557757782.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 009D2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009D2B30
DeleteObject.GDI32(00000000), ref: 009D2B43
DestroyWindow.USER32 ref: 009D2B52
GetDesktopWindow.USER32 ref: 009D2B6D
GetWindowRect.USER32(00000000), ref: 009D2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 009D2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 009D2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2CF8
GetClientRect.USER32(00000000,?), ref: 009D2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009D2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2DA8
GlobalFree.KERNEL32(00000000), ref: 009D2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,009EFC38,00000000), ref: 009D2DDB
GlobalFree.KERNEL32(00000000), ref: 009D2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 009D2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 009D2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D303F

Strings

DISPLAY, xrefs: 009D2EA2
AutoIt v3, xrefs: 009D2CF2
, xrefs: 009D2FC5
static, xrefs: 009D2D3A, 009D2E91

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 363a7b2b50e8b3a8e6fc774d3cc2d3be66e99a25d2423bdb8de71b83982c0724
Instruction ID: cf0a16c15d10b53454daa66e4e4a0520f45511fb4c511e6758a9536888736c18
Opcode Fuzzy Hash: 363a7b2b50e8b3a8e6fc774d3cc2d3be66e99a25d2423bdb8de71b83982c0724
Instruction Fuzzy Hash: 75028CB1910205AFDB14DFA8CC89EAE7BB9FF48711F008559F915AB2A1D774ED02CB60

Function 009E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 009E712F
GetSysColorBrush.USER32(0000000F), ref: 009E7160
GetSysColor.USER32(0000000F), ref: 009E716C
SetBkColor.GDI32(?,000000FF), ref: 009E7186
SelectObject.GDI32(?,?), ref: 009E7195
InflateRect.USER32(?,000000FF,000000FF), ref: 009E71C0
GetSysColor.USER32(00000010), ref: 009E71C8
CreateSolidBrush.GDI32(00000000), ref: 009E71CF
FrameRect.USER32(?,?,00000000), ref: 009E71DE
DeleteObject.GDI32(00000000), ref: 009E71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 009E7230
FillRect.USER32(?,?,?), ref: 009E7262
GetWindowLongW.USER32(?,000000F0), ref: 009E7284

Part of subcall function 009E73E8: GetSysColor.USER32(00000012), ref: 009E7421
Part of subcall function 009E73E8: SetTextColor.GDI32(?,?), ref: 009E7425
Part of subcall function 009E73E8: GetSysColorBrush.USER32(0000000F), ref: 009E743B
Part of subcall function 009E73E8: GetSysColor.USER32(0000000F), ref: 009E7446
Part of subcall function 009E73E8: GetSysColor.USER32(00000011), ref: 009E7463
Part of subcall function 009E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009E7471
Part of subcall function 009E73E8: SelectObject.GDI32(?,00000000), ref: 009E7482
Part of subcall function 009E73E8: SetBkColor.GDI32(?,00000000), ref: 009E748B
Part of subcall function 009E73E8: SelectObject.GDI32(?,?), ref: 009E7498
Part of subcall function 009E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009E74B7
Part of subcall function 009E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009E74CE
Part of subcall function 009E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009E74DB

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 300fcf287fd12680ea9225060eafd3df76d5a5bfd0e53548072e78051ad6a55b
Instruction ID: 237c6f30d74d1e510338c280b383ffb3e768dbdedb674a60676a51e874bc343a
Opcode Fuzzy Hash: 300fcf287fd12680ea9225060eafd3df76d5a5bfd0e53548072e78051ad6a55b
Instruction Fuzzy Hash: 75A1B4B201C341BFD7019FA0DC88E5BBBA9FB49321F100A19FAA29A1E1D735DD45DB52

Function 00968D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00968E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 009A6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 009A6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 009A6F43

Part of subcall function 00968F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00968BE8,?,00000000,?,?,?,?,00968BBA,00000000,?), ref: 00968FC5

SendMessageW.USER32(?,00001053), ref: 009A6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009A6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 009A6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 009A6FB7

Strings

0, xrefs: 009A6DCF

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f4c99525d28cd510e0ff7422a615d8d0d4de982bd85e7862c9bcfedafa0450bc
Instruction ID: 9209e3af3573b21de9a08a93531058d815e2828a3e8a41b79ea6f10f739fedac
Opcode Fuzzy Hash: f4c99525d28cd510e0ff7422a615d8d0d4de982bd85e7862c9bcfedafa0450bc
Instruction Fuzzy Hash: E312BF70204251DFDB25DF18C888BB6B7F9FB5A310F184569F5858B261CB32EC92DB91

Function 009D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009D273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009D286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009D28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009D28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 009D2900
GetClientRect.USER32(00000000,?), ref: 009D290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 009D2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009D2964
GetStockObject.GDI32(00000011), ref: 009D2974
SelectObject.GDI32(00000000,00000000), ref: 009D2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 009D2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009D2991
DeleteDC.GDI32(00000000), ref: 009D299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009D29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009D29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 009D2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009D2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 009D2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 009D2A77
GetStockObject.GDI32(00000011), ref: 009D2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009D2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 009D2A97

Strings

DISPLAY, xrefs: 009D295A
AutoIt v3, xrefs: 009D28F8
static, xrefs: 009D294F, 009D2A71
msctls_progress32, xrefs: 009D2A13

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b09f0fc31254db7d6367056739d9ad6acaab6596f49b6d37cba23921009fdf2b
Instruction ID: 74141b7dc1b9965f06bf037cd8a2533c17e737b6bed088ee779a94f17065a239
Opcode Fuzzy Hash: b09f0fc31254db7d6367056739d9ad6acaab6596f49b6d37cba23921009fdf2b
Instruction Fuzzy Hash: C7B17EB1A40205AFEB24DFA8DC85FAE7BA9FB58711F008115F914EB290D770ED42CB90

Function 009C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009C4AED
GetDriveTypeW.KERNEL32(?,009ECB68,?,\\.\,009ECC08), ref: 009C4BCA
SetErrorMode.KERNEL32(00000000,009ECB68,?,\\.\,009ECC08), ref: 009C4D36

Strings

SAS, xrefs: 009C4CC9
1394, xrefs: 009C4C9F
RAID, xrefs: 009C4CBB
RAMDisk, xrefs: 009C4BF4
CDROM, xrefs: 009C4BFB
FileBackedVirtual, xrefs: 009C4CEC
SSA, xrefs: 009C4CA6
ATAPI, xrefs: 009C4C91
Fibre, xrefs: 009C4CAD
Unknown, xrefs: 009C4BED, 009C4C83
Fixed, xrefs: 009C4C09
SSD, xrefs: 009C4C4A
\\.\, xrefs: 009C4B3F
USB, xrefs: 009C4CB4
Network, xrefs: 009C4C02
Virtual, xrefs: 009C4CE5
MMC, xrefs: 009C4CDE
Removable, xrefs: 009C4C10, 009C4C15
SCSI, xrefs: 009C4C8A
PhysicalDrive, xrefs: 009C4B76
ATA, xrefs: 009C4C98
SATA, xrefs: 009C4CD0
iSCSI, xrefs: 009C4CC2

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 9c3a3431ee3e450e17ee43195284e7189ba353c0b7f568f5bb6d0cf85ea12224
Instruction ID: 71dd3ec434edb98dcc57b088ae4fffee64216d60c4f9b0e885cb2975d16cf7d9
Opcode Fuzzy Hash: 9c3a3431ee3e450e17ee43195284e7189ba353c0b7f568f5bb6d0cf85ea12224
Instruction Fuzzy Hash: 3761B130B45505ABDB04DF24DAA2FED77A4AB44300B24481DF886EB2A1DB39ED81DB42

Function 009E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 009E7421
SetTextColor.GDI32(?,?), ref: 009E7425
GetSysColorBrush.USER32(0000000F), ref: 009E743B
GetSysColor.USER32(0000000F), ref: 009E7446
CreateSolidBrush.GDI32(?), ref: 009E744B
GetSysColor.USER32(00000011), ref: 009E7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 009E7471
SelectObject.GDI32(?,00000000), ref: 009E7482
SetBkColor.GDI32(?,00000000), ref: 009E748B
SelectObject.GDI32(?,?), ref: 009E7498
InflateRect.USER32(?,000000FF,000000FF), ref: 009E74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009E74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009E74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009E752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009E7554
InflateRect.USER32(?,000000FD,000000FD), ref: 009E7572
DrawFocusRect.USER32(?,?), ref: 009E757D
GetSysColor.USER32(00000011), ref: 009E758E
SetTextColor.GDI32(?,00000000), ref: 009E7596
DrawTextW.USER32(?,009E70F5,000000FF,?,00000000), ref: 009E75A8
SelectObject.GDI32(?,?), ref: 009E75BF
DeleteObject.GDI32(?), ref: 009E75CA
SelectObject.GDI32(?,?), ref: 009E75D0
DeleteObject.GDI32(?), ref: 009E75D5
SetTextColor.GDI32(?,?), ref: 009E75DB
SetBkColor.GDI32(?,?), ref: 009E75E5

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1479c8d48596e1feb7ee9a122ef14852285ac734c475883328d28c25029162e2
Instruction ID: 13029f3f2a2b66d7ff52084f81979634ee7e0e7316d8c7f34e34e102dafdf3cf
Opcode Fuzzy Hash: 1479c8d48596e1feb7ee9a122ef14852285ac734c475883328d28c25029162e2
Instruction Fuzzy Hash: D9618FB2908258AFDF019FA4DC88EEEBFB9EB08320F104115F911AB2A1D7749D41DF90

Function 009E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009E1128
GetDesktopWindow.USER32 ref: 009E113D
GetWindowRect.USER32(00000000), ref: 009E1144
GetWindowLongW.USER32(?,000000F0), ref: 009E1199
DestroyWindow.USER32(?), ref: 009E11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009E11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009E121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 009E1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 009E1245
IsWindowVisible.USER32(00000000), ref: 009E12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009E12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009E12D0
GetWindowRect.USER32(00000000,?), ref: 009E12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 009E130E
GetMonitorInfoW.USER32(00000000,?), ref: 009E1328
CopyRect.USER32(?,?), ref: 009E133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009E13AA

Strings

0, xrefs: 009E10D3
(, xrefs: 009E131B
tooltips_class32, xrefs: 009E11E6

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0883299ebe630b5209770505c2be0ab4cbb3c7682d7b378e8441367b03ecb00c
Instruction ID: 16b91cc4acb99825e15dd3265baa3ae73ec8660e2cd2036d471e87c92145d2ac
Opcode Fuzzy Hash: 0883299ebe630b5209770505c2be0ab4cbb3c7682d7b378e8441367b03ecb00c
Instruction Fuzzy Hash: 6EB17C71608381AFDB15DF66C884B6BBBE4FF88750F008918F9999B2A1D731EC45CB91

Function 009E0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009E02E5
_wcslen.LIBCMT ref: 009E031F
_wcslen.LIBCMT ref: 009E0389
_wcslen.LIBCMT ref: 009E03F1
_wcslen.LIBCMT ref: 009E0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009E04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009E0504

Part of subcall function 0096F9F2: _wcslen.LIBCMT ref: 0096F9FD

Part of subcall function 009B223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009B2258
Part of subcall function 009B223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009B228A

Strings

SELECTALL, xrefs: 009E0515
SELECTINVERT, xrefs: 009E057E
GETSUBITEMCOUNT, xrefs: 009E0384, 009E039F
GETITEMCOUNT, xrefs: 009E0316, 009E0337
GETTEXT, xrefs: 009E03EC, 009E0407
FINDITEM, xrefs: 009E0627
SELECT, xrefs: 009E0548
GETSELECTED, xrefs: 009E05E1
VIEWCHANGE, xrefs: 009E0675
GETSELECTEDCOUNT, xrefs: 009E0470, 009E048B
DESELECT, xrefs: 009E059C
ISSELECTED, xrefs: 009E04DD
SELECTCLEAR, xrefs: 009E052D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 2dd3f6a29716dea0d19f3666cdada165e154305be49413a14202fa012da6b283
Instruction ID: 8c72654d3dae756823e9a744b444d29a40af1e9b5999a9367d1792a1cac4d4a0
Opcode Fuzzy Hash: 2dd3f6a29716dea0d19f3666cdada165e154305be49413a14202fa012da6b283
Instruction Fuzzy Hash: 90E19F312082819FC715DF26C551A6EB3E6BFC8714F144A5CF8969B3A1EB70ED86CB81

Function 00968891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00968968
GetSystemMetrics.USER32(00000007), ref: 00968970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0096899B
GetSystemMetrics.USER32(00000008), ref: 009689A3
GetSystemMetrics.USER32(00000004), ref: 009689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00968A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00968A3C
GetClientRect.USER32(00000000,000000FF), ref: 00968A5A
GetStockObject.GDI32(00000011), ref: 00968A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00968A81

Part of subcall function 0096912D: GetCursorPos.USER32(?), ref: 00969141
Part of subcall function 0096912D: ScreenToClient.USER32(00000000,?), ref: 0096915E
Part of subcall function 0096912D: GetAsyncKeyState.USER32(00000001), ref: 00969183
Part of subcall function 0096912D: GetAsyncKeyState.USER32(00000002), ref: 0096919D

SetTimer.USER32(00000000,00000000,00000028,009690FC), ref: 00968AA8

Strings

AutoIt v3 GUI, xrefs: 00968A20

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4e2047a53dbe050e392c04c70b63b69e1b52d0da8092037eba4c29b04ec18b42
Instruction ID: c999d280c84e49393ad3a69b43ff358625cfb952fdfab5258bddbd3f691671c5
Opcode Fuzzy Hash: 4e2047a53dbe050e392c04c70b63b69e1b52d0da8092037eba4c29b04ec18b42
Instruction Fuzzy Hash: 63B17E71A04209AFDF14DFA8DC85BAE3BB5FB48314F144229FA55AB290DB34E842CF50

Function 009B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B1114
Part of subcall function 009B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1120
Part of subcall function 009B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B112F
Part of subcall function 009B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1136
Part of subcall function 009B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009B0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009B0E29
GetLengthSid.ADVAPI32(?), ref: 009B0E40
GetAce.ADVAPI32(?,00000000,?), ref: 009B0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009B0E96
GetLengthSid.ADVAPI32(?), ref: 009B0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 009B0EB5
HeapAlloc.KERNEL32(00000000), ref: 009B0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009B0EDD
CopySid.ADVAPI32(00000000), ref: 009B0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009B0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009B0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009B0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0F6E
HeapFree.KERNEL32(00000000), ref: 009B0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0F7E
HeapFree.KERNEL32(00000000), ref: 009B0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0F8E
HeapFree.KERNEL32(00000000), ref: 009B0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 009B0FA1
HeapFree.KERNEL32(00000000), ref: 009B0FA8

Part of subcall function 009B1193: GetProcessHeap.KERNEL32(00000008,009B0BB1,?,00000000,?,009B0BB1,?), ref: 009B11A1
Part of subcall function 009B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,009B0BB1,?), ref: 009B11A8
Part of subcall function 009B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009B0BB1,?), ref: 009B11B7

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3ff0cf65ed2b44c0a112d55c713b6595a674d607242e5537c0c7ba493ac2c942
Instruction ID: aff6879755e041f6f85ff92c6bc9be66160656b8753a4165eaa68ae0489449d8
Opcode Fuzzy Hash: 3ff0cf65ed2b44c0a112d55c713b6595a674d607242e5537c0c7ba493ac2c942
Instruction Fuzzy Hash: 45716CB2A0420AABDF209FA4DD48BEFBBBCBF45311F048155F959AA191D7319E05CB60

Function 009DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,009ECC08,00000000,?,00000000,?,?), ref: 009DC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 009DC5A4
_wcslen.LIBCMT ref: 009DC5F4
_wcslen.LIBCMT ref: 009DC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 009DC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 009DC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 009DC84D
RegCloseKey.ADVAPI32(?), ref: 009DC881
RegCloseKey.ADVAPI32(00000000), ref: 009DC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 009DC960

Strings

REG_DWORD, xrefs: 009DC804
REG_SZ, xrefs: 009DC644
REG_EXPAND_SZ, xrefs: 009DC5CD
REG_BINARY, xrefs: 009DC913
REG_MULTI_SZ, xrefs: 009DC6F5
REG_QWORD, xrefs: 009DC8C3

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 679610f7b3d6b44ed9e86df5a52fb533a1fb0f6d7d45151de54a2e54d8f9c57a
Instruction ID: 63e6fc838bb3e93d613441f6cdb0056771f4ed42bca72b0ccab52eee89f76338
Opcode Fuzzy Hash: 679610f7b3d6b44ed9e86df5a52fb533a1fb0f6d7d45151de54a2e54d8f9c57a
Instruction Fuzzy Hash: CD1267756082019FCB14DF15C891F2AB7E5EF88725F04885DF88A9B3A2DB31ED46CB81

Function 009E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009E09C6
_wcslen.LIBCMT ref: 009E0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E0A54
_wcslen.LIBCMT ref: 009E0A8A
_wcslen.LIBCMT ref: 009E0B06
_wcslen.LIBCMT ref: 009E0B81

Part of subcall function 0096F9F2: _wcslen.LIBCMT ref: 0096F9FD

Part of subcall function 009B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009B2BFA

Strings

GETTOTALCOUNT, xrefs: 009E09F2, 009E0A17
GETSELECTED, xrefs: 009E0C4E
UNCHECK, xrefs: 009E0D3E
EXISTS, xrefs: 009E0B7C, 009E0B97
GETITEMCOUNT, xrefs: 009E0C1E
ISCHECKED, xrefs: 009E0CE1
GETTEXT, xrefs: 009E0C97
SELECT, xrefs: 009E0D11
CHECK, xrefs: 009E0A85, 009E0AA0
COLLAPSE, xrefs: 009E0B01, 009E0B1C
EXPAND, xrefs: 009E0BF8

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c215b63f5b676024bca536e8067fe0f4e484f3614eebb4cd57226d39a91c1b33
Instruction ID: 710281a93adbd41ddd280339e55c8ae3a4753acd02f207f700e9a934bfa3d46e
Opcode Fuzzy Hash: c215b63f5b676024bca536e8067fe0f4e484f3614eebb4cd57226d39a91c1b33
Instruction Fuzzy Hash: 97E18C312083819FCB15DF26C450A6AB7E5BFD8314F14895DF8969B3A2D770ED8ACB81

Function 009DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
_wcslen.LIBCMT ref: 009DC9F1
_wcslen.LIBCMT ref: 009DCA68
_wcslen.LIBCMT ref: 009DCA9E
_wcslen.LIBCMT ref: 009DCAF9
_wcslen.LIBCMT ref: 009DCB2F
_wcslen.LIBCMT ref: 009DCB7F

Strings

HKLM, xrefs: 009DCA98, 009DCA9D
HKEY_CURRENT_CONFIG, xrefs: 009DCB79, 009DCB7E
HKEY_LOCAL_MACHINE, xrefs: 009DCA62, 009DCA67
HKCU, xrefs: 009DCBCE
HKEY_USERS, xrefs: 009DCBDF
HKCR, xrefs: 009DCB29, 009DCB2E
HKCC, xrefs: 009DCBAC
HKU, xrefs: 009DCBF0
HKEY_CLASSES_ROOT, xrefs: 009DCAF3, 009DCAF8
HKEY_CURRENT_USER, xrefs: 009DCBBD

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 7b1a310783454cceabbd162492e10b0877bb52d2dca91a78e750f069d5275244
Instruction ID: 452bb24f9fcf85d8f535b94fa9c9af4f21a4fdc1c494866fa896cce5e1cad278
Opcode Fuzzy Hash: 7b1a310783454cceabbd162492e10b0877bb52d2dca91a78e750f069d5275244
Instruction Fuzzy Hash: 4A7107B369012B8BCB20DE7CCD516BE33A9ABA0794F158927FC559B384E634CD85C390

Function 009E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009E835A
_wcslen.LIBCMT ref: 009E836E
_wcslen.LIBCMT ref: 009E8391
_wcslen.LIBCMT ref: 009E83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009E83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009E5BF2), ref: 009E844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009E8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009E84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009E8501
FreeLibrary.KERNEL32(?), ref: 009E850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009E851D
DestroyIcon.USER32(?,?,?,?,?,009E5BF2), ref: 009E852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009E8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009E8555

Strings

.icl, xrefs: 009E8368
.exe, xrefs: 009E8388
.dll, xrefs: 009E83AB

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: eade99f8bc756127ea5069b125551ac63f44ced0e36d22f6dc0195c6ca02aac6
Instruction ID: 2df8330fad290379b79a03a795f2aebfaa4c7eed49e8fe55efdb559f8142bad5
Opcode Fuzzy Hash: eade99f8bc756127ea5069b125551ac63f44ced0e36d22f6dc0195c6ca02aac6
Instruction Fuzzy Hash: 7F61DDB1504245BAEB15DFA5CC81BBF77ACBB48B11F104549F819DA0E1EF74AE80D7A0

Function 00957778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 00995169
Cannot parse #include, xrefs: 00995279
Unterminated group of comments, xrefs: 0099528C
#pragma compile, xrefs: 009577D3
#cs, xrefs: 00957873, 009578C5
", xrefs: 00995153
#comments-start, xrefs: 0095785F, 009578B1
#include, xrefs: 00957847
#requireadmin, xrefs: 009577FF
Bad directive syntax error, xrefs: 0099519A
#comments-end, xrefs: 009578D9
#OnAutoItStartRegister, xrefs: 00957817
#notrayicon, xrefs: 009577E7
#ce, xrefs: 009578ED
#include-once, xrefs: 0095782F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 0c2d686b6bd88f78bf209f68e904bc9288c40947f4586ab8bc67d29d753ab8ec
Instruction ID: 7639fbaee686c5218b3a07f144b51f528458b5b037d0b320e0866b2d6b90ec52
Opcode Fuzzy Hash: 0c2d686b6bd88f78bf209f68e904bc9288c40947f4586ab8bc67d29d753ab8ec
Instruction Fuzzy Hash: 48813871644205BBDF22EFA5EC52FAF77A8AF84301F144425FD08AA192EB70DB05C7A1

Function 009B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 009B5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009B5A40
SetWindowTextW.USER32(?,?), ref: 009B5A57
GetDlgItem.USER32(?,000003EA), ref: 009B5A6C
SetWindowTextW.USER32(00000000,?), ref: 009B5A72
GetDlgItem.USER32(?,000003E9), ref: 009B5A82
SetWindowTextW.USER32(00000000,?), ref: 009B5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009B5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009B5AC3
GetWindowRect.USER32(?,?), ref: 009B5ACC
_wcslen.LIBCMT ref: 009B5B33
SetWindowTextW.USER32(?,?), ref: 009B5B6F
GetDesktopWindow.USER32 ref: 009B5B75
GetWindowRect.USER32(00000000), ref: 009B5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 009B5BD3
GetClientRect.USER32(?,?), ref: 009B5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 009B5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009B5C2F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f55e72ffbfc74703e0789bf898618cc5ddecff4df07c3391c4ef3888b19f84f8
Instruction ID: b3005c29732dd52f1f664d678f378facbdcb528844b1c9850f6dcb0e6cc6a7f6
Opcode Fuzzy Hash: f55e72ffbfc74703e0789bf898618cc5ddecff4df07c3391c4ef3888b19f84f8
Instruction Fuzzy Hash: 93717D71900B09AFDB20DFA8CE85BAEBBF9FF48714F114918E582A65A0D775ED41CB10

Function 009700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009700C6

Part of subcall function 009700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00A2070C,00000FA0,E62A5400,?,?,?,?,009923B3,000000FF), ref: 0097011C
Part of subcall function 009700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009923B3,000000FF), ref: 00970127
Part of subcall function 009700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009923B3,000000FF), ref: 00970138
Part of subcall function 009700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0097014E
Part of subcall function 009700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0097015C
Part of subcall function 009700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0097016A
Part of subcall function 009700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00970195
Part of subcall function 009700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009701A0

___scrt_fastfail.LIBCMT ref: 009700E7

Part of subcall function 009700A3: __onexit.LIBCMT ref: 009700A9

Strings

InitializeConditionVariable, xrefs: 00970148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00970122
WakeAllConditionVariable, xrefs: 00970162
SleepConditionVariableCS, xrefs: 00970154
kernel32.dll, xrefs: 00970133

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 19f3f82f25a79e75878e9f6a98597283c6948491cb4d5bca7727e4674ca4f44b
Instruction ID: 7c462ba25f2fb1341ed2931692c7db7c4e020e1c12c825523a88fb1cee9383c3
Opcode Fuzzy Hash: 19f3f82f25a79e75878e9f6a98597283c6948491cb4d5bca7727e4674ca4f44b
Instruction Fuzzy Hash: E4213B7364C750EFD7215BA8AC56F6A3798EBC4F64F00813AF805A76D2DB709C018A90

Function 009B30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009B318D
_wcslen.LIBCMT ref: 009B31F8

Strings

TEXT, xrefs: 009B347C
NAME, xrefs: 009B3335, 009B3346
CLASS, xrefs: 009B3188, 009B31A5
CLASSNN, xrefs: 009B31F3, 009B3204
INSTANCE, xrefs: 009B3453
REGEXPCLASS, xrefs: 009B3255, 009B3266

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1309930b6c4e3c80246f002da48bb7c545d8dc613fb6993a6329a2055a5c183d
Instruction ID: 6c2c34751254481a147b91b0fdf6aa66e19f283a7825be09f1957b1a386bddde
Opcode Fuzzy Hash: 1309930b6c4e3c80246f002da48bb7c545d8dc613fb6993a6329a2055a5c183d
Instruction Fuzzy Hash: 48E10832A04516EBCB24DF78C5517EEBBB9BF84720F54C519E45AF7240DB30AE898790

Function 009C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,009ECC08), ref: 009C4527
_wcslen.LIBCMT ref: 009C453B
_wcslen.LIBCMT ref: 009C4599
_wcslen.LIBCMT ref: 009C45F4
_wcslen.LIBCMT ref: 009C463F
_wcslen.LIBCMT ref: 009C46A7

Part of subcall function 0096F9F2: _wcslen.LIBCMT ref: 0096F9FD

GetDriveTypeW.KERNEL32(?,00A16BF0,00000061), ref: 009C4743

Strings

removable, xrefs: 009C45EA, 009C45EF
all, xrefs: 009C4531, 009C4536
network, xrefs: 009C469D, 009C46A2
fixed, xrefs: 009C4635, 009C463A
cdrom, xrefs: 009C458F, 009C4594
ramdisk, xrefs: 009C46F1
unknown, xrefs: 009C4708

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: e188c23b8e9c85861728d110c09fcf314459446e06d9aea79f42b5c1cdee38dd
Instruction ID: dc63a89a82abc69c8a9863f0999fcbe9d3a4753ce8c6f6a7d7ac4fbd9a241ab7
Opcode Fuzzy Hash: e188c23b8e9c85861728d110c09fcf314459446e06d9aea79f42b5c1cdee38dd
Instruction Fuzzy Hash: BDB1DE71A083029BC710DF28C9A0F6AB7E9AFE5764F50491DF596C7296D730D848CBA3

Function 009DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009DB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009DB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009DB1D4
_wcslen.LIBCMT ref: 009DB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009DB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009DB236
_wcslen.LIBCMT ref: 009DB332

Part of subcall function 009C05A7: GetStdHandle.KERNEL32(000000F6), ref: 009C05C6

_wcslen.LIBCMT ref: 009DB34B
_wcslen.LIBCMT ref: 009DB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009DB3B6
GetLastError.KERNEL32(00000000), ref: 009DB407
CloseHandle.KERNEL32(?), ref: 009DB439
CloseHandle.KERNEL32(00000000), ref: 009DB44A
CloseHandle.KERNEL32(00000000), ref: 009DB45C
CloseHandle.KERNEL32(00000000), ref: 009DB46E
CloseHandle.KERNEL32(?), ref: 009DB4E3

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 6952ac90d38548c7b038a234897a7385a61f2f362d5605ef13006154df022bf7
Instruction ID: 52564c712c728030ca8fb63baef13a39161cc5c05c76bfeef3cb9608ce604bda
Opcode Fuzzy Hash: 6952ac90d38548c7b038a234897a7385a61f2f362d5605ef13006154df022bf7
Instruction Fuzzy Hash: 92F18832608340DFC714EF25D891B2ABBE5AF85714F15895EF8998B3A2DB31EC05CB52

Function 0095326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00A21990), ref: 00992F8D
GetMenuItemCount.USER32(00A21990), ref: 0099303D
GetCursorPos.USER32(?), ref: 00993081
SetForegroundWindow.USER32(00000000), ref: 0099308A
TrackPopupMenuEx.USER32(00A21990,00000000,?,00000000,00000000,00000000), ref: 0099309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009930A9

Strings

0, xrefs: 0095327D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 2a9ce46b91a298b698b8c725312e5034a6d65168b84356668b92f9ffea5b7b58
Instruction ID: fb121b27b722a7c1fe1876d0f35e22ea1e0fd2f64e05b95592074fe42aafc914
Opcode Fuzzy Hash: 2a9ce46b91a298b698b8c725312e5034a6d65168b84356668b92f9ffea5b7b58
Instruction Fuzzy Hash: F6710770644205BEEF21CF69CC89FAABF68FF45364F204216F9256A1E0C7B1AD14DB90

Function 009E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 009E6DEB

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009E6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009E6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E6E94
DestroyWindow.USER32(?), ref: 009E6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00950000,00000000), ref: 009E6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E6EFD
GetDesktopWindow.USER32 ref: 009E6F16
GetWindowRect.USER32(00000000), ref: 009E6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009E6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009E6F4D

Part of subcall function 00969944: GetWindowLongW.USER32(?,000000EB), ref: 00969952

Strings

0, xrefs: 009E6D98
tooltips_class32, xrefs: 009E6E58, 009E6EDD

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 09790e4f818f9de5e40466b514577bf4660bdde4f5d4d085195300305cc3f96e
Instruction ID: 154488f543ad2a1b2a82cd5cfae058e48d492cb1d21c898f95ee5822a3e8ae77
Opcode Fuzzy Hash: 09790e4f818f9de5e40466b514577bf4660bdde4f5d4d085195300305cc3f96e
Instruction Fuzzy Hash: DE7168B0104285AFDB22CF19D884BBABBE9FB99744F04081DF999872A1C770ED46DB11

Function 009E911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

DragQueryPoint.SHELL32(?,?), ref: 009E9147

Part of subcall function 009E7674: ClientToScreen.USER32(?,?), ref: 009E769A
Part of subcall function 009E7674: GetWindowRect.USER32(?,?), ref: 009E7710
Part of subcall function 009E7674: PtInRect.USER32(?,?,009E8B89), ref: 009E7720

SendMessageW.USER32(?,000000B0,?,?), ref: 009E91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009E91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009E91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 009E9225
SendMessageW.USER32(?,000000B0,?,?), ref: 009E923E
SendMessageW.USER32(?,000000B1,?,?), ref: 009E9255
SendMessageW.USER32(?,000000B1,?,?), ref: 009E9277
DragFinish.SHELL32(?), ref: 009E927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009E9371

Strings

@GUI_DROPID, xrefs: 009E929E
@GUI_DRAGID, xrefs: 009E92E9
@GUI_DRAGFILE, xrefs: 009E9320

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 3000a5b8b7835b27f2c863206010d728bba5c9739ffacfa9e816822d7b81994e
Instruction ID: d6d0b0ca413415deb220c677dd169f8aa82f9811a4bd22f501636fea56292665
Opcode Fuzzy Hash: 3000a5b8b7835b27f2c863206010d728bba5c9739ffacfa9e816822d7b81994e
Instruction Fuzzy Hash: D1618B71108341AFD701DF65DC85EAFBBE8EFC9750F00092EF995962A1DB309A4ACB52

Function 009CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009CC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009CC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009CC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009CC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 009CC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009CC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009CC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009CC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009CC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009CC5F0
InternetCloseHandle.WININET(00000000), ref: 009CC5FB

Strings

, xrefs: 009CC575

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 568731b8c05923d91d1bd5f81b54b3b4c1572892b034cc5fe1dd88f7dcb7c73a
Instruction ID: b2dcae4306e7131d567f5ce4be970710a16aaa3149adad4143720f2897f8e927
Opcode Fuzzy Hash: 568731b8c05923d91d1bd5f81b54b3b4c1572892b034cc5fe1dd88f7dcb7c73a
Instruction Fuzzy Hash: F4514BF1904245BFEB218F64C988FAA7FBCEB08744F00841DF99996250DB35ED45AB62

Function 009E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 009E8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009E85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,009EFC38,?), ref: 009E8611
GlobalFree.KERNEL32(00000000), ref: 009E8621
GetObjectW.GDI32(?,00000018,?), ref: 009E8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 009E8671
DeleteObject.GDI32(?), ref: 009E8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009E86AF

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b7028634b470e419334104c494d84d82f74c23aadb03b51e391f2ce30016c006
Instruction ID: e44273a1c1c8e5e4f23b7a1ffeec68148814711263cdfe183cc596ea4aa71fb1
Opcode Fuzzy Hash: b7028634b470e419334104c494d84d82f74c23aadb03b51e391f2ce30016c006
Instruction Fuzzy Hash: 1E410BB5614244AFDB119FA5CC88EAB7BBCEB89B15F104058F959EB260DB309D02DB60

Function 009C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 009C1502
VariantCopy.OLEAUT32(?,?), ref: 009C150B
VariantClear.OLEAUT32(?), ref: 009C1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009C15FB
VarR8FromDec.OLEAUT32(?,?), ref: 009C1657
VariantInit.OLEAUT32(?), ref: 009C1708
SysFreeString.OLEAUT32(?), ref: 009C178C
VariantClear.OLEAUT32(?), ref: 009C17D8
VariantClear.OLEAUT32(?), ref: 009C17E7
VariantInit.OLEAUT32(00000000), ref: 009C1823

Strings

Default, xrefs: 009C16AF
%4d%02d%02d%02d%02d%02d, xrefs: 009C1625

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: cca9ee96ee57805a021545e2493b68d2868c174ae38d14f8858940fd4154840d
Instruction ID: 6ff3a542dcca134e365c9120762add4a98c7c8659cecdccdfe38c6a001cc09fb
Opcode Fuzzy Hash: cca9ee96ee57805a021545e2493b68d2868c174ae38d14f8858940fd4154840d
Instruction Fuzzy Hash: 8BD11E71A00200EBDB00DF65E894F79B7B5BF8A700F50849AF846AB192DB34EC45DB66

Function 009DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DC9F1
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA68
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009DB772
RegDeleteValueW.ADVAPI32(?,?), ref: 009DB80A
RegCloseKey.ADVAPI32(?), ref: 009DB87E
RegCloseKey.ADVAPI32(?), ref: 009DB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 009DB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009DB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 009DB922
FreeLibrary.KERNEL32(00000000), ref: 009DB983
RegCloseKey.ADVAPI32(00000000), ref: 009DB994

Strings

RegDeleteKeyExW, xrefs: 009DB8FE
advapi32.dll, xrefs: 009DB8ED

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 8ae0469aa11f74d3776638b0de01317ff399e4043eb8ea89d96fed489c4549a6
Instruction ID: 17e6c9040edebedf6ecf5e4152cb46dbef82d3b4a617298652d365cd794b7be3
Opcode Fuzzy Hash: 8ae0469aa11f74d3776638b0de01317ff399e4043eb8ea89d96fed489c4549a6
Instruction Fuzzy Hash: 5BC17974208241EFD710DF25C494F2ABBE5AF84318F15C95DE89A8B3A2CB35ED46CB91

Function 009D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009D25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009D25E8
CreateCompatibleDC.GDI32(?), ref: 009D25F4
SelectObject.GDI32(00000000,?), ref: 009D2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 009D266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009D26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009D26D0
SelectObject.GDI32(?,?), ref: 009D26D8
DeleteObject.GDI32(?), ref: 009D26E1
DeleteDC.GDI32(?), ref: 009D26E8
ReleaseDC.USER32(00000000,?), ref: 009D26F3

Strings

(, xrefs: 009D268D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: dbcf0b52382545771a499c501d1c26fb20c42d89fb4d369b9560a59653c2f6d9
Instruction ID: 205d2056404760184b8475d4fc17042502bedb0662f96b4fc2ce2da529bc178b
Opcode Fuzzy Hash: dbcf0b52382545771a499c501d1c26fb20c42d89fb4d369b9560a59653c2f6d9
Instruction Fuzzy Hash: 0B61E1B5D04219EFCF15CFA8D884AAEBBB5FF48310F20852AE955A7350D770AD419F60

Function 0098DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0098DAA1

Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D659
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D66B
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D67D
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D68F
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6A1
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6B3
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6C5
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6D7
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6E9
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6FB
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D70D
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D71F
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D731

_free.LIBCMT ref: 0098DA96

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 0098DAB8
_free.LIBCMT ref: 0098DACD
_free.LIBCMT ref: 0098DAD8
_free.LIBCMT ref: 0098DAFA
_free.LIBCMT ref: 0098DB0D
_free.LIBCMT ref: 0098DB1B
_free.LIBCMT ref: 0098DB26
_free.LIBCMT ref: 0098DB5E
_free.LIBCMT ref: 0098DB65
_free.LIBCMT ref: 0098DB82
_free.LIBCMT ref: 0098DB9A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 55df7a2a93b356bfb12be21056b3894361fafb0bbf7a2f3eff0e20fec061d886
Instruction ID: 46494809a82e50a5c4c6c81c6b631d2e6d7aa685886a74b325194b4ecc6bfb49
Opcode Fuzzy Hash: 55df7a2a93b356bfb12be21056b3894361fafb0bbf7a2f3eff0e20fec061d886
Instruction Fuzzy Hash: FA3136326452059FEB26BB39E945B5AB7EDFF40320F264429E449D7391DF36ED808B20

Function 009B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009B369C
_wcslen.LIBCMT ref: 009B36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009B3797
GetClassNameW.USER32(?,?,00000400), ref: 009B380C
GetDlgCtrlID.USER32(?), ref: 009B385D
GetWindowRect.USER32(?,?), ref: 009B3882
GetParent.USER32(?), ref: 009B38A0
ScreenToClient.USER32(00000000), ref: 009B38A7
GetClassNameW.USER32(?,?,00000100), ref: 009B3921
GetWindowTextW.USER32(?,?,00000400), ref: 009B395D

Strings

%s%u, xrefs: 009B3734

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: d631c52afd3d4d7bdb33ce30b129cb2bd21a5c53884c7fd923c2588e1b8aa8cc
Instruction ID: 6ad36c49f65f7733b4bcd3ee2849f3138ef6ac932370ca90875ab82671574454
Opcode Fuzzy Hash: d631c52afd3d4d7bdb33ce30b129cb2bd21a5c53884c7fd923c2588e1b8aa8cc
Instruction Fuzzy Hash: 7191BF71204606EFD719DF24C985BEAB7ACFF44760F00C629F999D6190EB30EA46CB91

Function 009B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 009B4994
GetWindowTextW.USER32(?,?,00000400), ref: 009B49DA
_wcslen.LIBCMT ref: 009B49EB
CharUpperBuffW.USER32(?,00000000), ref: 009B49F7
_wcsstr.LIBVCRUNTIME ref: 009B4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 009B4A64
GetWindowTextW.USER32(?,?,00000400), ref: 009B4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 009B4AE6
GetClassNameW.USER32(?,?,00000400), ref: 009B4B20
GetWindowRect.USER32(?,?), ref: 009B4B8B

Strings

ThumbnailClass, xrefs: 009B4A6F, 009B4AF1

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 89a20c770082ca471355e06f2d5337c7415654936e119ebcb05e6de9e1081e49
Instruction ID: 1b46c4f153e76f5e575663dd9c19c9d81cdf4e464b8f20c5222a1f4355bbc3c8
Opcode Fuzzy Hash: 89a20c770082ca471355e06f2d5337c7415654936e119ebcb05e6de9e1081e49
Instruction Fuzzy Hash: 8F91AE720082059BDB04DF14CA81BEA77ACFF84724F048469FE859A196DB30ED45DBA1

Function 009E8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009E8D5A
GetFocus.USER32 ref: 009E8D6A
GetDlgCtrlID.USER32(00000000), ref: 009E8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 009E8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009E8ECF
GetMenuItemCount.USER32(?), ref: 009E8EEC
GetMenuItemID.USER32(?,00000000), ref: 009E8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009E8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009E8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009E8FA1

Strings

0, xrefs: 009E8E9F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 683f92bd0e59874eac7df7afb9371b78bed83128730278f2e8f83fdca0be222d
Instruction ID: a9f703c05f07470054840743f7d8965f6ce202f805030ff9e3cd8156ccdc2b6b
Opcode Fuzzy Hash: 683f92bd0e59874eac7df7afb9371b78bed83128730278f2e8f83fdca0be222d
Instruction Fuzzy Hash: 8181C071508381AFDB12DF66C884AAB7BE9FF88714F04091DF99897291DB30DD01DBA2

Function 009BDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 009BDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009BDC46
_wcslen.LIBCMT ref: 009BDC50
_wcsstr.LIBVCRUNTIME ref: 009BDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 009BDCBC

Strings

%u.%u.%u.%u, xrefs: 009BDD9A
StringFileInfo\, xrefs: 009BDC8F
04090000, xrefs: 009BDCF2
\VarFileInfo\Translation, xrefs: 009BDCB4
DefaultLangCodepage, xrefs: 009BDD1F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 4a3e324fed7110924a348b83371ce7fe14643496d7c6fdb98084cb03245e5172
Instruction ID: 73496dee0a3f715f00bf33557bc5f29603fd49f4c61a2bd6dc6e037d3eeba26d
Opcode Fuzzy Hash: 4a3e324fed7110924a348b83371ce7fe14643496d7c6fdb98084cb03245e5172
Instruction Fuzzy Hash: A7412273A412007AEB01AB649C43FFF3BACEFC1720F14446AF944E6182FB759D0296A4

Function 009DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009DCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 009DCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009DCD48

Part of subcall function 009DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 009DCCAA
Part of subcall function 009DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 009DCCBD
Part of subcall function 009DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009DCCCF
Part of subcall function 009DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009DCD05
Part of subcall function 009DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009DCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 009DCCF3

Strings

RegDeleteKeyExW, xrefs: 009DCCC9
advapi32.dll, xrefs: 009DCCB8

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 7cf92af53f40c1f5739451b887b3dcfd3fdec5ab065bf0adad6286977d6d25db
Instruction ID: bbf09895b1c3d89d5ac85801be6b3af232e5629d99e2bc5c233f340fc1da95bc
Opcode Fuzzy Hash: 7cf92af53f40c1f5739451b887b3dcfd3fdec5ab065bf0adad6286977d6d25db
Instruction Fuzzy Hash: BA3180B1955129BBDB208BA0DC88EFFBB7CEF45740F004566F945E7240D7349E46EAA0

Function 009C3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009C3D40
_wcslen.LIBCMT ref: 009C3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 009C3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009C3DBE
RemoveDirectoryW.KERNEL32(?), ref: 009C3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009C3E55
CloseHandle.KERNEL32(00000000), ref: 009C3E60
CloseHandle.KERNEL32(00000000), ref: 009C3E6B

Strings

\, xrefs: 009C3D77
:, xrefs: 009C3D82
\??\%s, xrefs: 009C3D5B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 0b909c73fdceec20540084ff81f8dea72749e38985fed830a3fb64be565754c2
Instruction ID: 119e49196cd73be7f881c7d5dc3f3e6fe38f5201761f82cdda4db09edc92efcb
Opcode Fuzzy Hash: 0b909c73fdceec20540084ff81f8dea72749e38985fed830a3fb64be565754c2
Instruction Fuzzy Hash: 8C31B6B2914249ABDB20DBA0DC89FEF37BCEF88700F1081B9F619D6190E77497458B25

Function 009BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009BE6B4

Part of subcall function 0096E551: timeGetTime.WINMM(?,?,009BE6D4), ref: 0096E555

Sleep.KERNEL32(0000000A), ref: 009BE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 009BE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009BE727
SetActiveWindow.USER32 ref: 009BE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009BE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 009BE773
Sleep.KERNEL32(000000FA), ref: 009BE77E
IsWindow.USER32 ref: 009BE78A
EndDialog.USER32(00000000), ref: 009BE79B

Strings

BUTTON, xrefs: 009BE719

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c31d7c21d200581744421b4612cbf5dd45652c0b5343b071914c4d7895ce77bf
Instruction ID: e7d7b5d89359de258b91869cf4b233f76aaf47d7ad39017b892985b6884187a8
Opcode Fuzzy Hash: c31d7c21d200581744421b4612cbf5dd45652c0b5343b071914c4d7895ce77bf
Instruction Fuzzy Hash: 5021A4B1214245BFEB20DFA4EEC9BB63B6DFB54758B101434F841952A1DF71AC039B14

Function 009BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009BEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009BEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009BEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009BEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009BEAA7

Strings

alias PlayMe, xrefs: 009BEA36
close PlayMe, xrefs: 009BEA6E, 009BEA9B
play PlayMe, xrefs: 009BEAA2
play PlayMe wait, xrefs: 009BEA91
open , xrefs: 009BEA0C
status PlayMe mode, xrefs: 009BEA58

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7c80e497b57350d5a15fca833f41b3d0c0a789144deba64e7597973bcd5e4820
Instruction ID: 3076dbbee648d580d2b750f947304f59e5fccada280ac02e5451f5266d55aad8
Opcode Fuzzy Hash: 7c80e497b57350d5a15fca833f41b3d0c0a789144deba64e7597973bcd5e4820
Instruction Fuzzy Hash: 80112131A5125D7AD720E7A6DD4AEFF6A7CFBD1B50F4008297811E20D1EE705989C6B0

Function 009B5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 009B5CE2
GetWindowRect.USER32(00000000,?), ref: 009B5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 009B5D59
GetDlgItem.USER32(?,00000002), ref: 009B5D69
GetWindowRect.USER32(00000000,?), ref: 009B5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 009B5DCF
GetDlgItem.USER32(?,000003E9), ref: 009B5DDD
GetWindowRect.USER32(00000000,?), ref: 009B5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 009B5E31
GetDlgItem.USER32(?,000003EA), ref: 009B5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009B5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 009B5E67

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: da628df0aa2687552f5e9fc7bf137d02e36011eaaf6af5faa4b267daf4c3d442
Instruction ID: d82b332825363e6dc14d9ab1b178dbea27b152c93325b4bd4212d547186ffe80
Opcode Fuzzy Hash: da628df0aa2687552f5e9fc7bf137d02e36011eaaf6af5faa4b267daf4c3d442
Instruction Fuzzy Hash: 24512EB0A10605AFDF18CF68CD89BAEBBB9FB48710F158229F915E6290D7709E01CB50

Function 00968BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00968F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00968BE8,?,00000000,?,?,?,?,00968BBA,00000000,?), ref: 00968FC5

DestroyWindow.USER32(?), ref: 00968C81
KillTimer.USER32(00000000,?,?,?,?,00968BBA,00000000,?), ref: 00968D1B
DestroyAcceleratorTable.USER32(00000000), ref: 009A6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00968BBA,00000000,?), ref: 009A69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00968BBA,00000000,?), ref: 009A69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00968BBA,00000000), ref: 009A69D4
DeleteObject.GDI32(00000000), ref: 009A69E6

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ed1b22c1c84559e6c5cf4dc91f0a9e2cb09b9d33c16c2e7eef0c3f5bb1708c53
Instruction ID: 6d2886fd67849b16931dfabb52ac601d7872f071ecd51b77eb9c4e7586fe7484
Opcode Fuzzy Hash: ed1b22c1c84559e6c5cf4dc91f0a9e2cb09b9d33c16c2e7eef0c3f5bb1708c53
Instruction Fuzzy Hash: E0618C71502700DFCB35DF28DA98B2677F5FB95312F144A28E0829A5A0CB39ADD2DF91

Function 00969838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00969944: GetWindowLongW.USER32(?,000000EB), ref: 00969952

GetSysColor.USER32(0000000F), ref: 00969862

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 72e1b8831a1a59bd06e0b864e0869d6f46a499452503d14eacc077a3ead4305d
Instruction ID: 70d2c3145295e52a2a9c2c11b81b52720e5bfab5e4b902b7a57a507cd94e08bd
Opcode Fuzzy Hash: 72e1b8831a1a59bd06e0b864e0869d6f46a499452503d14eacc077a3ead4305d
Instruction Fuzzy Hash: E041A171508644AFDB209F789C89BBA3BADFB47370F144619F9A28B1E1D7319C42EB50

Function 009B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0099F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 009B9717
LoadStringW.USER32(00000000,?,0099F7F8,00000001), ref: 009B9720

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0099F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 009B9742
LoadStringW.USER32(00000000,?,0099F7F8,00000001), ref: 009B9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 009B9866

Strings

Line %d:, xrefs: 009B97A0
Line %d (File "%s"):, xrefs: 009B978F
^ ERROR, xrefs: 009B97FB
Error: , xrefs: 009B981D
%s (%d) : ==> %s: %s %s, xrefs: 009B984A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: ad83a17ed18ace1afa9600e5d90d681da5cac9cf7546e31f5128e1d90062ce45
Instruction ID: eec89d7f676ce539b65ad1b1274ad5b5f24c1a7d4afaee596ce67a4d4bbeac17
Opcode Fuzzy Hash: ad83a17ed18ace1afa9600e5d90d681da5cac9cf7546e31f5128e1d90062ce45
Instruction Fuzzy Hash: D3416D72800219AADF04EBE1DE86FEE7378AF94341F504465FA05B2092EB356F49CB61

Function 009B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009B07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009B07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009B07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009B0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 009B082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009B0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009B083C

Strings

\IPC$, xrefs: 009B0784
\CLSID, xrefs: 009B0724
SOFTWARE\Classes\, xrefs: 009B070E

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 86a388efcdc5341db28bf83ecd439fa9b49768995b83c92633406c62bd91d644
Instruction ID: 80352a75c40eec10f869100cb7dbd45c71631cfd0522389d493997e01e723da9
Opcode Fuzzy Hash: 86a388efcdc5341db28bf83ecd439fa9b49768995b83c92633406c62bd91d644
Instruction Fuzzy Hash: CE410672C1022DEBDF15EBA4DC959EEB778FF84351B444529E901A7161EB309E48CBA0

Function 009D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D3C5C
CoInitialize.OLE32(00000000), ref: 009D3C8A
CoUninitialize.OLE32 ref: 009D3C94
_wcslen.LIBCMT ref: 009D3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 009D3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 009D3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 009D3F0E
CoGetObject.OLE32(?,00000000,009EFB98,?), ref: 009D3F2D
SetErrorMode.KERNEL32(00000000), ref: 009D3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009D3FC4
VariantClear.OLEAUT32(?), ref: 009D3FD8

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 3161a81d879f39099ac0d7e0f2bac1944506d6e5694cf9c8bc6dce2d43ca59d0
Instruction ID: dcf6548ed667ba5d1147ebc4d248b55f425afa58af07c216a771230163e0d308
Opcode Fuzzy Hash: 3161a81d879f39099ac0d7e0f2bac1944506d6e5694cf9c8bc6dce2d43ca59d0
Instruction Fuzzy Hash: E9C114B16083059FD700DF68C88492BB7E9FF89745F14891EF98A9B251D731EE06CB62

Function 009C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009C7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009C7B8F
SHGetDesktopFolder.SHELL32(?), ref: 009C7BA3
CoCreateInstance.OLE32(009EFD08,00000000,00000001,00A16E6C,?), ref: 009C7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009C7C74
CoTaskMemFree.OLE32(?,?), ref: 009C7CCC
SHBrowseForFolderW.SHELL32(?), ref: 009C7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009C7D7A
CoTaskMemFree.OLE32(00000000), ref: 009C7D81
CoTaskMemFree.OLE32(00000000), ref: 009C7DD6
CoUninitialize.OLE32 ref: 009C7DDC

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 5e4bc785781d18f037f40aeb8745bb458e0c292085c4859c767394b50b8f3290
Instruction ID: e7055a5ecc5d387a1eff0615fb354cf52a8fea76516bb99e13b004c773b8ad6e
Opcode Fuzzy Hash: 5e4bc785781d18f037f40aeb8745bb458e0c292085c4859c767394b50b8f3290
Instruction Fuzzy Hash: 6FC10A75A04109AFDB14DFA4C884EAEBBB9FF48304B148499E85A9B261D730EE45CF91

Function 009E541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009E5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E5515
CharNextW.USER32(00000158), ref: 009E5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009E5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009E559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E55AC

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: da8a29cddcacd18707f6a8bb75604eb824775b1ce847e5472d49f2520d9ccdbf
Instruction ID: 64be8aa66051b20bafa1c4ff4882875f5df7fffa00e98102b14e55756ddad282
Opcode Fuzzy Hash: da8a29cddcacd18707f6a8bb75604eb824775b1ce847e5472d49f2520d9ccdbf
Instruction Fuzzy Hash: 3B61E170904689EFDF12CF96CC84AFE3B79EB09728F114005F925AB2A1D7348E81DB60

Function 009AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009AFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 009AFB08
VariantInit.OLEAUT32(?), ref: 009AFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 009AFB3A
VariantCopy.OLEAUT32(?,?), ref: 009AFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 009AFBA1
VariantClear.OLEAUT32(?), ref: 009AFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 009AFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009AFBCC
VariantClear.OLEAUT32(?), ref: 009AFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009AFBE9

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a56b582851937497fbcc927c63d82471e60a7b748f57f4775e7476ee922ab559
Instruction ID: 5bdd74bd05f8f468f655ec66273a638099962e02838a9bd211e3816f114e219e
Opcode Fuzzy Hash: a56b582851937497fbcc927c63d82471e60a7b748f57f4775e7476ee922ab559
Instruction Fuzzy Hash: C2414275A04219AFCB00DFA4D8A4DADBBB9FF49344F008065F955AB261D730ED46CBA0

Function 009B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009B9CA1
GetAsyncKeyState.USER32(000000A0), ref: 009B9D22
GetKeyState.USER32(000000A0), ref: 009B9D3D
GetAsyncKeyState.USER32(000000A1), ref: 009B9D57
GetKeyState.USER32(000000A1), ref: 009B9D6C
GetAsyncKeyState.USER32(00000011), ref: 009B9D84
GetKeyState.USER32(00000011), ref: 009B9D96
GetAsyncKeyState.USER32(00000012), ref: 009B9DAE
GetKeyState.USER32(00000012), ref: 009B9DC0
GetAsyncKeyState.USER32(0000005B), ref: 009B9DD8
GetKeyState.USER32(0000005B), ref: 009B9DEA

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ed56272fc14f300a4e1d4c61fc608b1934ef4397ceb0f47458303c82c2d94005
Instruction ID: d465e2de76a05bb90310cb8576fe78c4f8f781f93e3a06353c38948aaa7d7a36
Opcode Fuzzy Hash: ed56272fc14f300a4e1d4c61fc608b1934ef4397ceb0f47458303c82c2d94005
Instruction Fuzzy Hash: 96411D305287C96DFF30876186443F5BEE86F51324F44805AE7C65A2C2DBA4ADC8C791

Function 009D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009D05BC
inet_addr.WSOCK32(?), ref: 009D061C
gethostbyname.WSOCK32(?), ref: 009D0628
IcmpCreateFile.IPHLPAPI ref: 009D0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009D06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009D06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009D07B9
WSACleanup.WSOCK32 ref: 009D07BF

Strings

Ping, xrefs: 009D0676

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f37db2a57a38848a12993b7092f3ba17c694d90fdf2b7a4a9e551ab050423295
Instruction ID: 31cefd3351f91da1320320d0f75df291bc590a594beccc4afb627c4535a852bd
Opcode Fuzzy Hash: f37db2a57a38848a12993b7092f3ba17c694d90fdf2b7a4a9e551ab050423295
Instruction Fuzzy Hash: C4917C756482419FD320CF15D889B1ABBE4AF84318F14C5AAF8A98F7A2C730ED45CF91

Function 009D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 009D8CF3

Part of subcall function 009B8E54: _wcslen.LIBCMT ref: 009B8E77

_wcslen.LIBCMT ref: 009D8D4E
_wcslen.LIBCMT ref: 009D8D9C
_wcslen.LIBCMT ref: 009D8DDC
_wcslen.LIBCMT ref: 009D8E6E

Strings

cdecl, xrefs: 009D8D48, 009D8D4D
winapi, xrefs: 009D8D96, 009D8D9B
stdcall, xrefs: 009D8DD6, 009D8DDB
none, xrefs: 009D8E65, 009D8E6A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 5ee006f4e4bdc839d6e132ed96472eea97f4da425d02245d4fc61c287b2ed41e
Instruction ID: 511fead7c20a2d319eacc5fd9380a7bc0ad3a8a8af90f6a3472844d8e7cd84f0
Opcode Fuzzy Hash: 5ee006f4e4bdc839d6e132ed96472eea97f4da425d02245d4fc61c287b2ed41e
Instruction Fuzzy Hash: 7551B831A401169BCF14EF68C9405BF77BABF64750720861AE926E73C6DB34DD40CBA0

Function 009D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 009D3774
CoUninitialize.OLE32 ref: 009D377F
CoCreateInstance.OLE32(?,00000000,00000017,009EFB78,?), ref: 009D37D9
IIDFromString.OLE32(?,?), ref: 009D384C
VariantInit.OLEAUT32(?), ref: 009D38E4
VariantClear.OLEAUT32(?), ref: 009D3936

Strings

NULL Pointer assignment, xrefs: 009D381E
Failed to create object, xrefs: 009D37E4, 009D389A
Invalid parameter, xrefs: 009D3865

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 0cf6f50e6eccaacfb124373c80dd7748432184f90f62ef3655fd921b0ba2a339
Instruction ID: 30f90b376d1e875ad6eaa150c2871000e16e79d711eff9ab1b5d5a60c3e227d2
Opcode Fuzzy Hash: 0cf6f50e6eccaacfb124373c80dd7748432184f90f62ef3655fd921b0ba2a339
Instruction Fuzzy Hash: FC61AFB0648701AFD310DF54C888F5AB7E8AF88712F00880AF9859B391D770EE49DB93

Function 009C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009C33CF

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009C33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 009C3522
Incorrect parameters to object property !, xrefs: 009C34AB
Line %d (File "%s"):, xrefs: 009C3443, 009C345C
"%s" (%d) : ==> %s:%s%s, xrefs: 009C3504
^ ERROR , xrefs: 009C349E
Error: , xrefs: 009C34D1

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 22901a6c0454e86c7dc69f8e18d323d1da7512dbe7b86aa6307bce94bca3f378
Instruction ID: e6a0a8b48234574de293bb05d50c1bbc76ccf27f40a63598df19fe0ec9deb998
Opcode Fuzzy Hash: 22901a6c0454e86c7dc69f8e18d323d1da7512dbe7b86aa6307bce94bca3f378
Instruction Fuzzy Hash: C8518C72D00209BADF15EBA1CD42FEEB379AF54341F508465B90972062EB312F59DB61

Function 009BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009BB5FC
_wcslen.LIBCMT ref: 009BB608
_wcslen.LIBCMT ref: 009BB64D
_wcslen.LIBCMT ref: 009BB68C
_wcslen.LIBCMT ref: 009BB6C7

Strings

KEYS, xrefs: 009BB647, 009BB64C
EXISTS, xrefs: 009BB686, 009BB68B
REMOVE, xrefs: 009BB602, 009BB607
APPEND, xrefs: 009BB6C1, 009BB6C6

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 94e2a11fdc4ca1915811470a698481f5b3bef1bf19de5a83bffcb2bd2dd25bee
Instruction ID: b69c18ec6f89461e81d1496c4469caed31ee3a5a321511f0adfb3d90a2647eb1
Opcode Fuzzy Hash: 94e2a11fdc4ca1915811470a698481f5b3bef1bf19de5a83bffcb2bd2dd25bee
Instruction Fuzzy Hash: 6E41D632A00026DBCB209F7DCE905FE77A9AFA0BB4B244529E565DB2C4E775CD81C790

Function 009C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009C53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009C5416
GetLastError.KERNEL32 ref: 009C5420
SetErrorMode.KERNEL32(00000000,READY), ref: 009C54A7

Strings

NOTREADY, xrefs: 009C544B
UNKNOWN, xrefs: 009C5444
READONLY, xrefs: 009C5452
INVALID, xrefs: 009C5459
READY, xrefs: 009C5460, 009C5468

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e4688b2c3baddd7e89f5a14125598b2a2a447e26d8d1313dee2686731a99b1a7
Instruction ID: d55ed2eba99ba5c624eef8b1ee53dc416fecd32f2a91559a6039fcb9e52c9644
Opcode Fuzzy Hash: e4688b2c3baddd7e89f5a14125598b2a2a447e26d8d1313dee2686731a99b1a7
Instruction Fuzzy Hash: 07319C75E006049FD714DF68C884FAABBB8EB45305F158069E805CF2A2DB34EDC6CB92

Function 009E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 009E3C79
SetMenu.USER32(?,00000000), ref: 009E3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E3D10
IsMenu.USER32(?), ref: 009E3D24
CreatePopupMenu.USER32 ref: 009E3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009E3D5B
DrawMenuBar.USER32 ref: 009E3D63

Strings

F, xrefs: 009E3D4E
0, xrefs: 009E3C54

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: d6ab2ed9a3e4aaf70948b366915bf3ee0c8bb5a7f7bd25fdcba5bbcacc5f8e18
Instruction ID: 7318a986a2b53aa2768751030f112cf7088683accc032fc925f9f6eeb3d779fb
Opcode Fuzzy Hash: d6ab2ed9a3e4aaf70948b366915bf3ee0c8bb5a7f7bd25fdcba5bbcacc5f8e18
Instruction Fuzzy Hash: 1A418D75A05249EFDB14CF65D888AAA77B9FF49300F144028F9469B3A0D730AE51DF90

Function 009E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009E3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009E3AA0
GetWindowLongW.USER32(?,000000F0), ref: 009E3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009E3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009E3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 009E3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 009E3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 009E3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 009E3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 009E3C13

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5469c192ae416a943a3b4ae75ec597eac22718147ae387340045adf1b1d7f7c6
Instruction ID: 590dfb39be90d24b62de58daea54e178f3f0437ea28f93f88c18c5700457a72e
Opcode Fuzzy Hash: 5469c192ae416a943a3b4ae75ec597eac22718147ae387340045adf1b1d7f7c6
Instruction Fuzzy Hash: 82618E75900248AFDB11DFA8CC85EFE77F8EB49700F1441A9FA15A7291C774AE42DB50

Function 009BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009BB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB165
GetWindowThreadProcessId.USER32(00000000), ref: 009BB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 009BB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,009BA1E1,?,00000001), ref: 009BB21D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: fb85395a584155712f40013623458d53ec02c3ef8df8689962b851a94031cec8
Instruction ID: 8cdf187d8ac4e92288a8d76a097f7bfe6cd85c72d74023abe24d126f1327d8a6
Opcode Fuzzy Hash: fb85395a584155712f40013623458d53ec02c3ef8df8689962b851a94031cec8
Instruction Fuzzy Hash: 28314FB6618204BFDF20DF68DD84BBE7BADAB62721F104015F915DA190D7B89D428F60

Function 00982C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00982C94

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 00982CA0
_free.LIBCMT ref: 00982CAB
_free.LIBCMT ref: 00982CB6
_free.LIBCMT ref: 00982CC1
_free.LIBCMT ref: 00982CCC
_free.LIBCMT ref: 00982CD7
_free.LIBCMT ref: 00982CE2
_free.LIBCMT ref: 00982CED
_free.LIBCMT ref: 00982CFB

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a159ddd298f86b4ab97f66d852078f1d02a18e61867ca698591c6b42b27f4946
Instruction ID: 17bdaa9b5fb1811522f7bd68468e51d65d15816c37d86ab06334b832dfbd9324
Opcode Fuzzy Hash: a159ddd298f86b4ab97f66d852078f1d02a18e61867ca698591c6b42b27f4946
Instruction Fuzzy Hash: 97117476500108AFCB02FF54DA82EDD3BA9FF45350F5245A5FA489F322DA36EE509B90

Function 00951410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00951459
OleUninitialize.OLE32(?,00000000), ref: 009514F8
UnregisterHotKey.USER32(?), ref: 009516DD
DestroyWindow.USER32(?), ref: 009924B9
FreeLibrary.KERNEL32(?), ref: 0099251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0099254B

Strings

close all, xrefs: 00951454

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 13a5646293f275a71cac40aa6fbb88671d4df3a28296d5cde724e0ade1320692
Instruction ID: fe22c3f1c70323644f88c4c80d149fa57e24821b51802cde676b2387ad0eafd1
Opcode Fuzzy Hash: 13a5646293f275a71cac40aa6fbb88671d4df3a28296d5cde724e0ade1320692
Instruction Fuzzy Hash: 98D1BE31702212DFCB29EF1AC899B29F7A4BF45701F1541ADE84A6B262DB31EC16CF51

Function 009C7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009C7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 009C7FC1
GetFileAttributesW.KERNEL32(?), ref: 009C7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 009C8005
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8017
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009C80B0

Strings

*.*, xrefs: 009C8066

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 131a07e6a9c6719fc2f4c37caec6214f91443835fa11ca0f158063ebcea5fdbd
Instruction ID: 9ea12afc62c2007ba3fb66982d5c0e749d63389f05ab1d985151ce40af6e02d6
Opcode Fuzzy Hash: 131a07e6a9c6719fc2f4c37caec6214f91443835fa11ca0f158063ebcea5fdbd
Instruction Fuzzy Hash: 37817E729082419BCB20DF95C894FAAF3E8BB89350F144C5EF885D7261EB34DD498B53

Function 00955BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00955C7A

Part of subcall function 00955D0A: GetClientRect.USER32(?,?), ref: 00955D30
Part of subcall function 00955D0A: GetWindowRect.USER32(?,?), ref: 00955D71
Part of subcall function 00955D0A: ScreenToClient.USER32(?,?), ref: 00955D99

GetDC.USER32 ref: 009946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00994708
SelectObject.GDI32(00000000,00000000), ref: 00994716
SelectObject.GDI32(00000000,00000000), ref: 0099472B
ReleaseDC.USER32(?,00000000), ref: 00994733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009947C4

Strings

U, xrefs: 00994693

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 05fc6de226fbbf6bff1a411f72640b5bee391f0022b3b1f04f8b786af781eb62
Instruction ID: 81373a3730a56b50202311a59cef5049093931c9350c74ee9d35ba6a054bc7c2
Opcode Fuzzy Hash: 05fc6de226fbbf6bff1a411f72640b5bee391f0022b3b1f04f8b786af781eb62
Instruction Fuzzy Hash: A971E471400209DFCF22CFA8C984EBA3BB9FF4A365F144269ED955A166C3319C42DF50

Function 009C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009C35E4

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

LoadStringW.USER32(00A22390,?,00000FFF,?), ref: 009C360A

Strings

"%s" (%d) : ==> %s:, xrefs: 009C3742
Line %d (File "%s"):, xrefs: 009C366B
"%s" (%d) : ==> %s:%s%s, xrefs: 009C3724
^ ERROR, xrefs: 009C36C9
Error: , xrefs: 009C36EF

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0f58123b55bbe3120c5782399659cb02015974adca0a4e3beb0c9a281a042f89
Instruction ID: 601f2e316e912343a729247d2f4b26542f8ca1a7403bc91908f4ec4f352f1863
Opcode Fuzzy Hash: 0f58123b55bbe3120c5782399659cb02015974adca0a4e3beb0c9a281a042f89
Instruction Fuzzy Hash: 77518E72C00209BADF14EBA1CD42FEEBB79EF54341F548129F505720A2EB311B99DB61

Function 009E8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

Part of subcall function 0096912D: GetCursorPos.USER32(?), ref: 00969141
Part of subcall function 0096912D: ScreenToClient.USER32(00000000,?), ref: 0096915E
Part of subcall function 0096912D: GetAsyncKeyState.USER32(00000001), ref: 00969183
Part of subcall function 0096912D: GetAsyncKeyState.USER32(00000002), ref: 0096919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 009E8B6B
ImageList_EndDrag.COMCTL32 ref: 009E8B71
ReleaseCapture.USER32 ref: 009E8B77
SetWindowTextW.USER32(?,00000000), ref: 009E8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009E8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 009E8CFF

Strings

@GUI_DROPID, xrefs: 009E8C51
@GUI_DRAGFILE, xrefs: 009E8C9A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 0782ec3427270ae0d5f08639abccff5852eeed967272749d459334440810f260
Instruction ID: 3719837af55913af5afd63765a4431d7b9b18680374a837862dec48c90e1bda9
Opcode Fuzzy Hash: 0782ec3427270ae0d5f08639abccff5852eeed967272749d459334440810f260
Instruction Fuzzy Hash: 4951BB70108340AFD700DF65DC96BAA77E8FB88715F500A2DF996A72E1CB709D49CB62

Function 009CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009CC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009CC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009CC2CA
GetLastError.KERNEL32 ref: 009CC322
SetEvent.KERNEL32(?), ref: 009CC336
InternetCloseHandle.WININET(00000000), ref: 009CC341

Strings

, xrefs: 009CC2BB

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2986d13692d900a750dbdba86dd5c1029a59e52d7c3d9b00cb7d7eaff3edd32b
Instruction ID: e53240aef724fdc82c02f29e37a8c4735accde5ef28fa86eee66f8b584af68b9
Opcode Fuzzy Hash: 2986d13692d900a750dbdba86dd5c1029a59e52d7c3d9b00cb7d7eaff3edd32b
Instruction Fuzzy Hash: B0319CF1A04248AFD7219FA49C88FAB7FFCEB49740B14851EF48AD6201DB34DD459B62

Function 009B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00993AAF,?,?,Bad directive syntax error,009ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009B98BC
LoadStringW.USER32(00000000,?,00993AAF,?), ref: 009B98C3

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009B9987

Strings

Error: , xrefs: 009B9955
Line %d:, xrefs: 009B9912
%s (%d) : ==> %s.: %s %s, xrefs: 009B98F1
Line %d (File "%s"):, xrefs: 009B992D
., xrefs: 009B996D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 1fa661a9e702fbf9a7364a7f9f0f5f446404cf76f60e3c48cb1817254c75ea21
Instruction ID: 481e63b64df5c7bd0b1d986fc9df0dc571306a06f11fcdc6d7ec0ea4cadb2888
Opcode Fuzzy Hash: 1fa661a9e702fbf9a7364a7f9f0f5f446404cf76f60e3c48cb1817254c75ea21
Instruction Fuzzy Hash: 1B215C3191021AEBDF15EFA0CC06FEE7739BF58701F044865BA19660A2EA719A58DB10

Function 009B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009B20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009B20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009B214D

Strings

list, xrefs: 009B212F
smallicons, xrefs: 009B2115
SHELLDLL_DefView, xrefs: 009B20CC
details, xrefs: 009B20FB
largeicons, xrefs: 009B20E1

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 3abd35c1f4d235f6f413fd4930898f9a30369051435f966007a6bfb06de2a7ef
Instruction ID: 91bac71e2b2bb9d4863736ecab7b5ea7566439c391bc4309268447ec31909cf3
Opcode Fuzzy Hash: 3abd35c1f4d235f6f413fd4930898f9a30369051435f966007a6bfb06de2a7ef
Instruction Fuzzy Hash: 251106B7A8C707B9F6052334DD06DE7379CDB45734B20441AFB08E50D2FA696C425A14

Function 0098CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0098CEB7
_free.LIBCMT ref: 0098CF22
_free.LIBCMT ref: 0098CF48
_free.LIBCMT ref: 0098CF71
_free.LIBCMT ref: 0098CFA9
_free.LIBCMT ref: 0098CFDA
_free.LIBCMT ref: 0098D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0098D09C
_free.LIBCMT ref: 0098D0B5

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 93b50c13fd6f1326d19a5332acc7e110ebd604365e750cf60c1fbc0231a6c6ce
Instruction ID: 262a41dfe52b9e4d95e0b2f359b9e27524e239bd939010b93d5370dee0b0a590
Opcode Fuzzy Hash: 93b50c13fd6f1326d19a5332acc7e110ebd604365e750cf60c1fbc0231a6c6ce
Instruction Fuzzy Hash: C96129B1905301AFEF35BFB89881B7E7BA9EF45310F14416EFA45A7382D6369D028760

Function 009E50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 009E5186
ShowWindow.USER32(?,00000000), ref: 009E51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009E51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009E51D1

Part of subcall function 009E6FBA: DeleteObject.GDI32(00000000), ref: 009E6FE6

GetWindowLongW.USER32(?,000000F0), ref: 009E520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009E524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 009E5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 009E5296

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 59f989956786fd3aae9d0142226b8fc8c948b3fdce90f6fc94b6d015787bf802
Instruction ID: ca4192b01ab9d6e9c75543366a9e63df7a7f65b2deb95cf4e8ba50d300df4dfa
Opcode Fuzzy Hash: 59f989956786fd3aae9d0142226b8fc8c948b3fdce90f6fc94b6d015787bf802
Instruction Fuzzy Hash: A851E370A54A88BFEF329F26CC45BD93B69FB05369F158011FA249A2E1C375DD80DB40

Function 00968B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 009A6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009A68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009A68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009A68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009A68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00968874,00000000,00000000,00000000,000000FF,00000000), ref: 009A6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009A691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00968874,00000000,00000000,00000000,000000FF,00000000), ref: 009A692D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2cec8a9f31dd0bd97278bd89dd51d774c31c8d222e422181557b33f6c55ef4ce
Instruction ID: de3d9b70c828c8587c56e5a76287c21ef99953cf9a02300f263ea78202e5d591
Opcode Fuzzy Hash: 2cec8a9f31dd0bd97278bd89dd51d774c31c8d222e422181557b33f6c55ef4ce
Instruction Fuzzy Hash: 8F518DB0600209EFDB20CF28CC95FAA7BB9FB94750F144618F952972A0DB74ED91DB50

Function 009CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009CC182
GetLastError.KERNEL32 ref: 009CC195
SetEvent.KERNEL32(?), ref: 009CC1A9

Part of subcall function 009CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009CC272
Part of subcall function 009CC253: GetLastError.KERNEL32 ref: 009CC322
Part of subcall function 009CC253: SetEvent.KERNEL32(?), ref: 009CC336
Part of subcall function 009CC253: InternetCloseHandle.WININET(00000000), ref: 009CC341

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 789def14d95b9151189841df7f6142be699f7b9d7b0d4e2f23aa0ebf1884aa2d
Instruction ID: 4ccee4c84bd820613f4c821c4aaf7621faffb5caab8718bf60644989f2536785
Opcode Fuzzy Hash: 789def14d95b9151189841df7f6142be699f7b9d7b0d4e2f23aa0ebf1884aa2d
Instruction Fuzzy Hash: 0E319AB1A04641AFDB219FA5DC44F66BFEDFF58310B04441DF9AA86611C731E811ABA2

Function 009B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009B3A57
Part of subcall function 009B3A3D: GetCurrentThreadId.KERNEL32 ref: 009B3A5E
Part of subcall function 009B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009B25B3), ref: 009B3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009B25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009B25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009B25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009B25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009B2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 009B2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 009B260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009B2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 009B2627

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f1877cec4c4d15c691540e8a81b19ca4b599258d09e2ad2065f4efdfaf25f92c
Instruction ID: 75d0a8c1659d77f3e3d750b7a7e7ba4d22e596fd41f2aec8ffe02a54e23d1830
Opcode Fuzzy Hash: f1877cec4c4d15c691540e8a81b19ca4b599258d09e2ad2065f4efdfaf25f92c
Instruction Fuzzy Hash: F501D870398350BBFB1067699CCAF993F59DB8EB22F100011F354AE0D1C9E118459A69

Function 009B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,009B1449,?,?,00000000), ref: 009B180C
HeapAlloc.KERNEL32(00000000,?,009B1449,?,?,00000000), ref: 009B1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009B1449,?,?,00000000), ref: 009B1828
GetCurrentProcess.KERNEL32(?,00000000,?,009B1449,?,?,00000000), ref: 009B1830
DuplicateHandle.KERNEL32(00000000,?,009B1449,?,?,00000000), ref: 009B1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009B1449,?,?,00000000), ref: 009B1843
GetCurrentProcess.KERNEL32(009B1449,00000000,?,009B1449,?,?,00000000), ref: 009B184B
DuplicateHandle.KERNEL32(00000000,?,009B1449,?,?,00000000), ref: 009B184E
CreateThread.KERNEL32(00000000,00000000,009B1874,00000000,00000000,00000000), ref: 009B1868

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 35b3d6f619d1523faabe0f7b0788bafff59dabcd3965ea6766b6be655fbd75c6
Instruction ID: c91e2a9b3488a70d4f31efbf197a6ed4e4e89416b19bbeb317fe519bc7e965ea
Opcode Fuzzy Hash: 35b3d6f619d1523faabe0f7b0788bafff59dabcd3965ea6766b6be655fbd75c6
Instruction Fuzzy Hash: 7C01A8B5254348BFE610ABA5DC89F6B3BACEB89B11F404411FA45DB1A1CA709C019B20

Function 009DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 009BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 009BD501
Part of subcall function 009BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 009BD50F
Part of subcall function 009BD4DC: CloseHandle.KERNEL32(00000000), ref: 009BD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DA16D
GetLastError.KERNEL32 ref: 009DA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 009DA268
GetLastError.KERNEL32(00000000), ref: 009DA273
CloseHandle.KERNEL32(00000000), ref: 009DA2C4

Strings

SeDebugPrivilege, xrefs: 009DA18F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: fbac4e33f59609aff5496d268c4d96c9758013e3cc081091591a7815ac4dfbc6
Instruction ID: d9cfed9d9ee67d9a4bdedb37236aa06e7624b24a7465d1a4d74d773862a2c897
Opcode Fuzzy Hash: fbac4e33f59609aff5496d268c4d96c9758013e3cc081091591a7815ac4dfbc6
Instruction Fuzzy Hash: B061AE702482429FD710DF19C894F1ABBE5AF84318F14C48DE9664B7A3C776ED49CB92

Function 009E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009E3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 009E393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009E3954
_wcslen.LIBCMT ref: 009E3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009E39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009E39F4

Strings

SysListView32, xrefs: 009E38F7

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d9b2e5167ba37b6500b496adcb5c059918208761693450d2ae1fa98aa9cd4288
Instruction ID: 9d8522d67651bf8c3c05ed0d642380d6af5f5854b62413d78ed021eed13cba60
Opcode Fuzzy Hash: d9b2e5167ba37b6500b496adcb5c059918208761693450d2ae1fa98aa9cd4288
Instruction Fuzzy Hash: AB41C371A00259ABEF229F65CC49FEA7BA9FF48350F104526F948E7281D7719E80CB90

Function 009BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009BBCFD
IsMenu.USER32(00000000), ref: 009BBD1D
CreatePopupMenu.USER32 ref: 009BBD53
GetMenuItemCount.USER32(012D5CD8), ref: 009BBDA4
InsertMenuItemW.USER32(012D5CD8,?,00000001,00000030), ref: 009BBDCC

Strings

2, xrefs: 009BBD37
0, xrefs: 009BBCA8

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 313642c4245e9d4564665079bd744c971cf97388bd4bceeef375ffdd0674e868
Instruction ID: e590e4abef7365812b7effef1a85bd7e5bc7aa4b9045dfcb4ce5dc70e2492e8f
Opcode Fuzzy Hash: 313642c4245e9d4564665079bd744c971cf97388bd4bceeef375ffdd0674e868
Instruction Fuzzy Hash: 0D51AFB0A04205DBDF20CFA8DAC4BEEBBF8AFC5324F144619E5519B2D0D7B89941CB61

Function 009BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009BC913

Strings

question, xrefs: 009BC8CC
blank, xrefs: 009BC895
warning, xrefs: 009BC8FC
info, xrefs: 009BC8B4
stop, xrefs: 009BC8E4

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3cc5140ae1a8291aa8553b93ecd2f57268a1fbf74fdd85aa1aaf174a18f345c0
Instruction ID: f71798ca017de03ac7621d45d280970f820812b7033feaa6c8cca115e7d84b79
Opcode Fuzzy Hash: 3cc5140ae1a8291aa8553b93ecd2f57268a1fbf74fdd85aa1aaf174a18f345c0
Instruction Fuzzy Hash: 331136B2789307BAF7049B149E83DEA379CDF55375B20442AF504E62C2E7B4AE405268

Function 009BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009BED2A
_wcslen.LIBCMT ref: 009BED3B
_wcslen.LIBCMT ref: 009BED79
_wcslen.LIBCMT ref: 009BEDAF
_wcslen.LIBCMT ref: 009BEDDF
_wcslen.LIBCMT ref: 009BEDEF
_wcslen.LIBCMT ref: 009BEE2B
_wcslen.LIBCMT ref: 009BEE5A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d8934dde24263c020790e6e800f6c0f7c3230376936c5e6aea9b765bfc664ab6
Instruction ID: efe7d97adb1630ab58d7e29805d417c8f04a4b23fe679717fae293e416551771
Opcode Fuzzy Hash: d8934dde24263c020790e6e800f6c0f7c3230376936c5e6aea9b765bfc664ab6
Instruction Fuzzy Hash: 2B419666D10118B6CB11EBF4888AACF77BCAF85710F50C566F528E3122FB34E255C7A6

Function 0096F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009A682C,00000004,00000000,00000000), ref: 0096F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,009A682C,00000004,00000000,00000000), ref: 009AF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009A682C,00000004,00000000,00000000), ref: 009AF454

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 18ef2c9955a9d9b19047f369774cbe1fa5de96f49b593db382e504bc2a7215dc
Instruction ID: 875c879ca13288ca7c963155479500b2cad6e96aa14a6cdac028da6bed5e1856
Opcode Fuzzy Hash: 18ef2c9955a9d9b19047f369774cbe1fa5de96f49b593db382e504bc2a7215dc
Instruction Fuzzy Hash: C1414D70208780BADB398B7DE9FC73A7BE9AB5B354F14483CE09756660C636A881D750

Function 009E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009E2D1B
GetDC.USER32(00000000), ref: 009E2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009E2D2E
ReleaseDC.USER32(00000000,00000000), ref: 009E2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009E2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009E2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 009E2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009E2DE1

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8779f950778006ef923b248166412f666089b291186a781fdc4b6915177df7ff
Instruction ID: da1967fe54448af3b937e52043ba58935ac5c97cc46bd8b898718e2c90ad34ca
Opcode Fuzzy Hash: 8779f950778006ef923b248166412f666089b291186a781fdc4b6915177df7ff
Instruction Fuzzy Hash: E03189B2215294BBEB218F558C8AFEB3BADEB49721F044055FE489E291C6759C41CBA0

Function 009B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 009B5637
_memcmp.LIBVCRUNTIME ref: 009B5659
_memcmp.LIBVCRUNTIME ref: 009B5671
_memcmp.LIBVCRUNTIME ref: 009B5684
_memcmp.LIBVCRUNTIME ref: 009B569E
_memcmp.LIBVCRUNTIME ref: 009B56B1
_memcmp.LIBVCRUNTIME ref: 009B56C9
_memcmp.LIBVCRUNTIME ref: 009B56E4

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 83e8189dec1072d2faab75f31eaee7ecb2510675e22e611cae2f25342594d924
Instruction ID: b1c04f45ce96ff50effb772eee53031683921d21274b7d7ab66ebcfc02a3a5a3
Opcode Fuzzy Hash: 83e8189dec1072d2faab75f31eaee7ecb2510675e22e611cae2f25342594d924
Instruction Fuzzy Hash: D5212E72740A09F7E61555258F92FFB335CAFA03ACF654035FD089A581FB24EE1182E5

Function 009D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 009D502E, 009D5383
Not an Object type, xrefs: 009D5007

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 7ca01e4a227b456cbb7568e4ba3b89b678c09e41b24a766d22bae259aab1103c
Instruction ID: 3e4c2d4d990331c00e0bf309b5cbad3e19c08cfc0fd582ce461225b38b4b6132
Opcode Fuzzy Hash: 7ca01e4a227b456cbb7568e4ba3b89b678c09e41b24a766d22bae259aab1103c
Instruction Fuzzy Hash: FED1A271A4060A9FDF10CF98C881BAEB7B9BF48344F15C46AE915AB381E770DD45CB90

Function 00991522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,009917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009915CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00991651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,009917FB,?,009917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009916E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009916FB

Part of subcall function 00983820: RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,009917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00991777
__freea.LIBCMT ref: 009917A2
__freea.LIBCMT ref: 009917AE

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d0aa6e95ad7746bafd69841ee599aa03141521202356934aa625eb26ce640451
Instruction ID: 5ecc1c136a6fd0c0afe37c5738ac7130d1eeb0fb10c7a3db5e5ccee0c8df8c91
Opcode Fuzzy Hash: d0aa6e95ad7746bafd69841ee599aa03141521202356934aa625eb26ce640451
Instruction Fuzzy Hash: B891B372E002179ADF219EB8C881AEE7BB9BF89710F194659F905E7281D735DC40CB61

Function 009D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D4648
VariantInit.OLEAUT32(?), ref: 009D4749
VariantClear.OLEAUT32(?), ref: 009D4753
VariantClear.OLEAUT32(?), ref: 009D47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 009D45D8, 009D4706, 009D47BE
Incorrect Object type in FOR..IN loop, xrefs: 009D472C

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: b02d692df8a21f50e59eaeb96086512e8dd7aeceaa4bb45f430ad07b8976e60f
Instruction ID: 5290cc2c41de36bd3f2af945969c35294489d4d21e4d448c361770d5438b70b0
Opcode Fuzzy Hash: b02d692df8a21f50e59eaeb96086512e8dd7aeceaa4bb45f430ad07b8976e60f
Instruction Fuzzy Hash: 19919071A40219ABDF20CFA5DC84FAEBBB8EF86714F10855AF515AB280D7709941CFA0

Function 009C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 009C125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 009C1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009C12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009C12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009C135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009C13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009C1430

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: ca7cd856af47b212702b5fb8c070feb36105edb2c08e0c0300c501a6ecf0f71b
Instruction ID: 67927f61c617f5a319ec53db6b2cd129b7a6e3eb33fe3280538fc2f75da6985c
Opcode Fuzzy Hash: ca7cd856af47b212702b5fb8c070feb36105edb2c08e0c0300c501a6ecf0f71b
Instruction Fuzzy Hash: B791E175E002099FEB04DF94C884FBE77B9FF86315F104029E950EB2A2D774A941CB96

Function 0096948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e4de8337751b7c4de9909f41f9b093a8f3f393cd28a987bbbc610ebbdb3bdbb4
Instruction ID: 684155e34d2b9cde473d98de0c8f58fb38ad6cf3abc8fa90887dd7ad168533cb
Opcode Fuzzy Hash: e4de8337751b7c4de9909f41f9b093a8f3f393cd28a987bbbc610ebbdb3bdbb4
Instruction Fuzzy Hash: 56912771D04219EFCB10CFA9CC85AEEBBB8FF49320F144559E916B7251D778A942CBA0

Function 009D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D396B
CharUpperBuffW.USER32(?,?), ref: 009D3A7A
_wcslen.LIBCMT ref: 009D3A8A
VariantClear.OLEAUT32(?), ref: 009D3C1F

Part of subcall function 009C0CDF: VariantInit.OLEAUT32(00000000), ref: 009C0D1F
Part of subcall function 009C0CDF: VariantCopy.OLEAUT32(?,?), ref: 009C0D28
Part of subcall function 009C0CDF: VariantClear.OLEAUT32(?), ref: 009C0D34

Strings

AUTOIT.ERROR, xrefs: 009D3A80, 009D3A85
Incorrect Parameter format, xrefs: 009D39A6, 009D3BA1

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 91aabcac26c7a06a331f20a3a34c6b27a14464c5133b3c8feaa963513814cfd5
Instruction ID: ffe7e9f1348bcc88e552c8c291da9934f4aa3d0ad49a466f8d829421b5d02716
Opcode Fuzzy Hash: 91aabcac26c7a06a331f20a3a34c6b27a14464c5133b3c8feaa963513814cfd5
Instruction Fuzzy Hash: 7C9157756083019FC700DF64C490A6AB7E8FF89315F14892EF8899B351DB34EE49CB92

Function 009D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 009B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?,?,009B035E), ref: 009B002B
Part of subcall function 009B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0046
Part of subcall function 009B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0054
Part of subcall function 009B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?), ref: 009B0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 009D4C51
_wcslen.LIBCMT ref: 009D4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 009D4DCF
CoTaskMemFree.OLE32(?), ref: 009D4DDA

Strings

NULL Pointer assignment, xrefs: 009D4E23, 009D4E52

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 703c2db57571b5a33584b7dd0fd8853cd0542bab92ba30ce1383a94f7d5f5752
Instruction ID: e63c7125bbdc76171ecde8d8df0838ff0d0566a8d750354b703f7b655d5c9d26
Opcode Fuzzy Hash: 703c2db57571b5a33584b7dd0fd8853cd0542bab92ba30ce1383a94f7d5f5752
Instruction Fuzzy Hash: 16911871D0021DEFDF10DFA5C891AEEB7B9BF48310F10856AE919AB251DB349A45CFA0

Function 009E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 009E2183
GetMenuItemCount.USER32(00000000), ref: 009E21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009E21DD
_wcslen.LIBCMT ref: 009E2213
GetMenuItemID.USER32(?,?), ref: 009E224D
GetSubMenu.USER32(?,?), ref: 009E225B

Part of subcall function 009B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009B3A57
Part of subcall function 009B3A3D: GetCurrentThreadId.KERNEL32 ref: 009B3A5E
Part of subcall function 009B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009B25B3), ref: 009B3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009E22E3

Part of subcall function 009BE97B: Sleep.KERNEL32 ref: 009BE9F3

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 80c594c0e9c2407a70bb92a5f57b3c98c274f59d7e02f45e9ea25b2c37b2dbda
Instruction ID: 378574ff55c436333ec8c4b29be14b85515ac44e352e973cc10b4ae234fb0715
Opcode Fuzzy Hash: 80c594c0e9c2407a70bb92a5f57b3c98c274f59d7e02f45e9ea25b2c37b2dbda
Instruction Fuzzy Hash: D571B075A04245AFCB15DF65C881AAEB7F9FF88310F108458E966EB341DB34EE01CB90

Function 009BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 009BAEF9
GetKeyboardState.USER32(?), ref: 009BAF0E
SetKeyboardState.USER32(?), ref: 009BAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 009BAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 009BAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 009BAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009BB020

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e75403ac9d23569ae37684b3fab4720c8c94e44f6dc20810c1a0bb7dfd2e37a3
Instruction ID: 37b6a4912af76d87a8f8d41544398b8dfe20aabea4e133393bb53195b2f9dda4
Opcode Fuzzy Hash: e75403ac9d23569ae37684b3fab4720c8c94e44f6dc20810c1a0bb7dfd2e37a3
Instruction Fuzzy Hash: CF51D1A06187D53DFB3652348E45BFBBEAD5B06324F088489E1E9558C2C3D9ECC8D751

Function 009BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009BAD19
GetKeyboardState.USER32(?), ref: 009BAD2E
SetKeyboardState.USER32(?), ref: 009BAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009BADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009BADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009BAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009BAE38

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5e702596f88195692c9a85f1a158c388468198b5358475dc723f40f2105d719e
Instruction ID: e44c24aec4c3e174c4d2cfcd705fb8bc7c1cb6b727b342a95072f8e3468bd092
Opcode Fuzzy Hash: 5e702596f88195692c9a85f1a158c388468198b5358475dc723f40f2105d719e
Instruction Fuzzy Hash: 6051F6A15087D53DFB338334CE95BFA7EAD5B86710F088588E1D54A8C2C294EC88E762

Function 0098542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00993CD6,?,?,?,?,?,?,?,?,00985BA3,?,?,00993CD6,?,?), ref: 00985470
__fassign.LIBCMT ref: 009854EB
__fassign.LIBCMT ref: 00985506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00993CD6,00000005,00000000,00000000), ref: 0098552C
WriteFile.KERNEL32(?,00993CD6,00000000,00985BA3,00000000,?,?,?,?,?,?,?,?,?,00985BA3,?), ref: 0098554B
WriteFile.KERNEL32(?,?,00000001,00985BA3,00000000,?,?,?,?,?,?,?,?,?,00985BA3,?), ref: 00985584

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 48c52e98991a094b8e7ddd9cb2c6fc6ed2657dc09d31253b658a9391f822e197
Instruction ID: de63d4344eb5464ee3664c5ac149d2d15759d1ae547ac936dddaad3b99d21233
Opcode Fuzzy Hash: 48c52e98991a094b8e7ddd9cb2c6fc6ed2657dc09d31253b658a9391f822e197
Instruction Fuzzy Hash: 7151E3B1A006499FDB10DFA8D885AEEBBF9EF08300F15451AF955E7391D7309E46CB60

Function 00972D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00972D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00972D53
_ValidateLocalCookies.LIBCMT ref: 00972DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00972E0C
_ValidateLocalCookies.LIBCMT ref: 00972E61

Strings

csm, xrefs: 00972DF6

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 417d40e0b6f7d2c0681a44ce4558b698746d310304d9a389170c66130c7df450
Instruction ID: 6c25148bc88135230222a87f6bf503c89da402f9f8b2d34268a4a0db0b419c53
Opcode Fuzzy Hash: 417d40e0b6f7d2c0681a44ce4558b698746d310304d9a389170c66130c7df450
Instruction Fuzzy Hash: D1419236E10209ABCF20DF68CC55A9EBBB9BF84324F14C155E9186B392D731EA45CB91

Function 009D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009D307A
Part of subcall function 009D304E: _wcslen.LIBCMT ref: 009D309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009D1112
WSAGetLastError.WSOCK32 ref: 009D1121
WSAGetLastError.WSOCK32 ref: 009D11C9
closesocket.WSOCK32(00000000), ref: 009D11F9

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: a2ee54a599b509fb46039bb1767325f4d81c7f1a984a0254518aeb01c136634f
Instruction ID: bdc06b311612f1f622fbc0759dd564a59427c5aced9bd8efcf9846d46427d9ca
Opcode Fuzzy Hash: a2ee54a599b509fb46039bb1767325f4d81c7f1a984a0254518aeb01c136634f
Instruction Fuzzy Hash: C541F272604204AFDB10DF64C884BAABBE9EF85324F14C05AFD559F392C774AD46CBA1

Function 009BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009BCF22,?), ref: 009BDDFD

Part of subcall function 009BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009BCF22,?), ref: 009BDE16

lstrcmpiW.KERNEL32(?,?), ref: 009BCF45
MoveFileW.KERNEL32(?,?), ref: 009BCF7F
_wcslen.LIBCMT ref: 009BD005
_wcslen.LIBCMT ref: 009BD01B
SHFileOperationW.SHELL32(?), ref: 009BD061

Strings

\*.*, xrefs: 009BCFF3

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 0f340865d76a141534636337cf130564b1c6902998f4ea2cd9cc419d139e1016
Instruction ID: 1bfb9de91303cd17c79e8bfe900cfed4dfd8af7fbe7cb5e97b617c2d45821307
Opcode Fuzzy Hash: 0f340865d76a141534636337cf130564b1c6902998f4ea2cd9cc419d139e1016
Instruction Fuzzy Hash: 4A4169B190521C9FDF12EFA4CA81BED77BDAF48390F1004E6E549EB142EB34A645CB50

Function 009E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009E2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 009E2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 009E2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009E2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009E2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 009E2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009E2F0B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2e23575fe6761fdcec62f85a948921185fbd27f7cc54a20ff128eb0169178d2a
Instruction ID: 93719378fbd2a5e2df359a7318fcf161789d8fb3606b19f3526938f3a819ef34
Opcode Fuzzy Hash: 2e23575fe6761fdcec62f85a948921185fbd27f7cc54a20ff128eb0169178d2a
Instruction Fuzzy Hash: C73108316082A19FDB22CF59DC84F6537E9FB9AB10F1501A8F9419F2B2CB71AC42DB41

Function 009B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009B7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009B778F
SysAllocString.OLEAUT32(00000000), ref: 009B7792
SysAllocString.OLEAUT32(?), ref: 009B77B0
SysFreeString.OLEAUT32(?), ref: 009B77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009B77DE
SysAllocString.OLEAUT32(?), ref: 009B77EC

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6f91c26c5bc4037c2fe869b29a59eaec6b5e859f17cabc2066b5fa035f5f1111
Instruction ID: af7dbb28520078fcd292debb962139c21eee2de402a9b436cc7698235a13093b
Opcode Fuzzy Hash: 6f91c26c5bc4037c2fe869b29a59eaec6b5e859f17cabc2066b5fa035f5f1111
Instruction Fuzzy Hash: 8721B276608219AFDB10DFA8DDC8DFBB7ACEB493647108525F914DF1A0DA70DC428760

Function 009B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009B7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009B7868
SysAllocString.OLEAUT32(00000000), ref: 009B786B
SysAllocString.OLEAUT32 ref: 009B788C
SysFreeString.OLEAUT32 ref: 009B7895
StringFromGUID2.OLE32(?,?,00000028), ref: 009B78AF
SysAllocString.OLEAUT32(?), ref: 009B78BD

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 08130108ea1a12dd908e7cc4c7d0c3effea0469ea6864f8df9a4850fbd9ef09b
Instruction ID: dcf304463c7a21554aaca5b76242c7a28cbf2aaa6518e69e8d2708c836c59a65
Opcode Fuzzy Hash: 08130108ea1a12dd908e7cc4c7d0c3effea0469ea6864f8df9a4850fbd9ef09b
Instruction Fuzzy Hash: B5216072608204BFDB109FF8DDC8DAAB7ACEB497607108225F915CB2A1E674DC41DB64

Function 009C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009C04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C052E

Strings

nul, xrefs: 009C0567

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 78fe944e8967bf004578ff2bda5cb4f65035e3973ca4056ee4bec96bd47ca42d
Instruction ID: 439de64aa8f0adc464ce73b9ae404d9e33b3215d067f538f06582e60d9197bbc
Opcode Fuzzy Hash: 78fe944e8967bf004578ff2bda5cb4f65035e3973ca4056ee4bec96bd47ca42d
Instruction Fuzzy Hash: 16215CB5900345EBDF209F2AD844F9A7BA8BF84724F204A1DF8A1D62E0E770D941DF21

Function 009C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009C05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C0601

Strings

nul, xrefs: 009C0639

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d57f91f8b6f862207041a7876facde25bd7d0607cf90b27d88dfe81825b9c631
Instruction ID: a4b42d6cc85e697f7945d2164d6488aaa888b08a4160010916b729c2173ca8f8
Opcode Fuzzy Hash: d57f91f8b6f862207041a7876facde25bd7d0607cf90b27d88dfe81825b9c631
Instruction Fuzzy Hash: 9C219F75904315DBDB208F698D44F9A77A8AFC5B20F200B1DF8E1E72E0D7709861CB22

Function 009E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0095600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0095604C
Part of subcall function 0095600E: GetStockObject.GDI32(00000011), ref: 00956060
Part of subcall function 0095600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0095606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009E4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009E411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009E412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009E4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009E4145

Strings

Msctls_Progress32, xrefs: 009E40E3

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: db0937063b9cdcc993ce4d6b7e7cb8d55c383893653aa776fca4bfd6445913c4
Instruction ID: 0462b037588f370c6dd602d8fd9ecf8b8a60a5c82ca05802ebaf93890f52e94b
Opcode Fuzzy Hash: db0937063b9cdcc993ce4d6b7e7cb8d55c383893653aa776fca4bfd6445913c4
Instruction Fuzzy Hash: D811B2B2150219BEEF118FA5CC85EE77FADFF18798F014120BA18A6190C676DC61DBA4

Function 0098D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0098D7A3: _free.LIBCMT ref: 0098D7CC

_free.LIBCMT ref: 0098D82D

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 0098D838
_free.LIBCMT ref: 0098D843
_free.LIBCMT ref: 0098D897
_free.LIBCMT ref: 0098D8A2
_free.LIBCMT ref: 0098D8AD
_free.LIBCMT ref: 0098D8B8

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: fa8813a4cc63bbe74e9c3185b76627e16394399da77ad02a7f341cc7a5f88429
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 1211FEB1542B04AAE621BFB0CD47FCF7BDCAF85700F404825F299A66D2DA69B5058760

Function 009BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009BDA74
LoadStringW.USER32(00000000), ref: 009BDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009BDA91
LoadStringW.USER32(00000000), ref: 009BDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009BDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 009BDAB9

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 58ea342d6685030d171929376133f7d5da86c3482c956eb7e6bc18c3d58821cd
Instruction ID: 46f246afd24dc2c607d56d9fae78930f40510e2b5e022a44b689a5264516be33
Opcode Fuzzy Hash: 58ea342d6685030d171929376133f7d5da86c3482c956eb7e6bc18c3d58821cd
Instruction Fuzzy Hash: 5B0186F2514348BFEB119BE09DC9EEB736CEB08701F400891B796E6041E6749E858F74

Function 009C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(012CE8B8,012CE8B8), ref: 009C097B
EnterCriticalSection.KERNEL32(012CE898,00000000), ref: 009C098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 009C099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 009C09A9
CloseHandle.KERNEL32(00000000), ref: 009C09B8
InterlockedExchange.KERNEL32(012CE8B8,000001F6), ref: 009C09C8
LeaveCriticalSection.KERNEL32(012CE898), ref: 009C09CF

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c76b7bbe5d8745b08ce7e951858851d9aec9428082ec3209ef26f927a6e00718
Instruction ID: 770330c43df494c77026d18826f7a2c98e12037f9ca4dc6b7896d7d6935b5809
Opcode Fuzzy Hash: c76b7bbe5d8745b08ce7e951858851d9aec9428082ec3209ef26f927a6e00718
Instruction Fuzzy Hash: FCF03171456642FBD7415F94EECCBD67B39FF41702F402015F251588A0C7749866DF90

Function 009D1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 009D1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009D1DE1
WSAGetLastError.WSOCK32 ref: 009D1DF2
htons.WSOCK32(?,?,?,?,?), ref: 009D1EDB
inet_ntoa.WSOCK32(?), ref: 009D1E8C

Part of subcall function 009B39E8: _strlen.LIBCMT ref: 009B39F2

Part of subcall function 009D3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,009CEC0C), ref: 009D3240

_strlen.LIBCMT ref: 009D1F35

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: c1ead73e8d4d4b2c66a60cb963f5943d748280cc525bcb5e3ea997140db2b0aa
Instruction ID: 5a780bcf94d2a5f48883a92ac305d924d4baa1e7ec23edbc81c4788f09315744
Opcode Fuzzy Hash: c1ead73e8d4d4b2c66a60cb963f5943d748280cc525bcb5e3ea997140db2b0aa
Instruction Fuzzy Hash: 35B1AC72244340AFD324DF24C895F2A7BA9AFC4318F54894DF8965B3A2DB31ED46CB91

Function 009801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009800D6
__allrem.LIBCMT ref: 009800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0098010B
__allrem.LIBCMT ref: 00980122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00980140

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 633dba28df89c79a1086ce52d61b5ac06bc7fe5ff4b32272c31594fc6fa379d6
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 2781E572A007069BE720AF68CC52B6A73E9EFC1734F24853AF555DB781EB74D9048B90

Function 009861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009782D9,009782D9,?,?,?,0098644F,00000001,00000001,8BE85006), ref: 00986258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0098644F,00000001,00000001,8BE85006,?,?,?), ref: 009862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009863D8
__freea.LIBCMT ref: 009863E5

Part of subcall function 00983820: RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

__freea.LIBCMT ref: 009863EE
__freea.LIBCMT ref: 00986413

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: c544635a6df085bf30d2c149807baf7e6597c9d610e12196c362018dd8dc0186
Instruction ID: 97fd4ebcad1c5199735d660fe269847466940b616014ab324e1db7c1c8827f9c
Opcode Fuzzy Hash: c544635a6df085bf30d2c149807baf7e6597c9d610e12196c362018dd8dc0186
Instruction Fuzzy Hash: CA51B072600216ABEB25AF64DC81FBF77AAEB84750F15466AFC05DB250EB34DC40D760

Function 009DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DC9F1
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA68
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009DBD25
RegCloseKey.ADVAPI32(00000000), ref: 009DBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009DBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009DBDF3
RegCloseKey.ADVAPI32(?), ref: 009DBDFF

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 5823ee7cfd2efef6a9b076dc37251b2369d2291ac8d01aa310f36d3ea6602774
Instruction ID: 4d9e097af205aa92b37638123056979aeebb7badb9af54ca45d6b057ec39bf03
Opcode Fuzzy Hash: 5823ee7cfd2efef6a9b076dc37251b2369d2291ac8d01aa310f36d3ea6602774
Instruction Fuzzy Hash: 1F81A070218241EFD714DF24C891E2ABBE9FF84308F15895DF5998B2A2DB31ED45CB92

Function 009AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 009AF7B9
SysAllocString.OLEAUT32(00000001), ref: 009AF860
VariantCopy.OLEAUT32(009AFA64,00000000), ref: 009AF889
VariantClear.OLEAUT32(009AFA64), ref: 009AF8AD
VariantCopy.OLEAUT32(009AFA64,00000000), ref: 009AF8B1
VariantClear.OLEAUT32(?), ref: 009AF8BB

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f56bee46f7ace3dfdfb2fab2cccaadafd9bd8c954d837e00e796fd467c188aea
Instruction ID: 754ed443cbc41a993e860be31c2f34ae63932ded98f00126f4974a9e503426dc
Opcode Fuzzy Hash: f56bee46f7ace3dfdfb2fab2cccaadafd9bd8c954d837e00e796fd467c188aea
Instruction Fuzzy Hash: C051D935510310BADF14ABA5D8B5B2AB3A8EFC6310F244866F906DF291EB749C41C7D6

Function 009C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009C94E5
_wcslen.LIBCMT ref: 009C9506
_wcslen.LIBCMT ref: 009C952D
GetSaveFileNameW.COMDLG32(00000058), ref: 009C9585

Strings

X, xrefs: 009C9412

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: bdb3bb88019b92d02d8756ab6c24173391571c010349b633c2c7539315a58354
Instruction ID: 1ef927eec40fb3b456174d7c7e28bc2cade0286f903bf49f2483a63fbaaf8a07
Opcode Fuzzy Hash: bdb3bb88019b92d02d8756ab6c24173391571c010349b633c2c7539315a58354
Instruction Fuzzy Hash: 3AE17B31A083518FD724DF25C885F6AB7E4BF85314F04896DF8999B2A2EB31DD05CB92

Function 0096920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

BeginPaint.USER32(?,?,?), ref: 00969241
GetWindowRect.USER32(?,?), ref: 009692A5
ScreenToClient.USER32(?,?), ref: 009692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009692D3
EndPaint.USER32(?,?,?,?,?), ref: 00969321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009A71EA

Part of subcall function 00969339: BeginPath.GDI32(00000000), ref: 00969357

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 65735abfd563a84bf7d2a1d8d713e8041d2af6dfc018c6bee4bf58e07124ad1f
Instruction ID: 12aef1d06a6f47335814ffbd95f224153b979a360715d4857ddd9d00d79178b6
Opcode Fuzzy Hash: 65735abfd563a84bf7d2a1d8d713e8041d2af6dfc018c6bee4bf58e07124ad1f
Instruction Fuzzy Hash: 9141AD70108341AFD721DF68CCD5FBA7BECEB96720F040629F9A48B2A1C7319846DB61

Function 009C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009C080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 009C0847
EnterCriticalSection.KERNEL32(?), ref: 009C0863
LeaveCriticalSection.KERNEL32(?), ref: 009C08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009C08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 009C0921

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c31312ca108410d97ee5b245c6359e8670571937c50bae60a55e1e694077c69c
Instruction ID: 2181b24c5e8a6528d7c7e1ac18b22758e9b2da5903e8675cd9463c8679dfb3c8
Opcode Fuzzy Hash: c31312ca108410d97ee5b245c6359e8670571937c50bae60a55e1e694077c69c
Instruction Fuzzy Hash: 37415972900205EBDF159F54DC85BAA7B78FF84300F1480A9ED049E297D731DE61DBA0

Function 009E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,009AF3AB,00000000,?,?,00000000,?,009A682C,00000004,00000000,00000000), ref: 009E824C
EnableWindow.USER32(00000000,00000000), ref: 009E8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009E82D1
ShowWindow.USER32(00000000,00000004), ref: 009E82E5
EnableWindow.USER32(00000000,00000001), ref: 009E830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 009E832F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1f8cf8795ca2ca1d55185360da656ffaabb8cd43e13c6c9abf5d5de785348bd9
Instruction ID: 19ddb91da0d09704715f6b9fdbe5199e6023615d15c4976b4aedd7665b1460e6
Opcode Fuzzy Hash: 1f8cf8795ca2ca1d55185360da656ffaabb8cd43e13c6c9abf5d5de785348bd9
Instruction Fuzzy Hash: C941C730601684EFDB26CF96C895BE57BE4FB0A754F185169E61C5F362CB32AC42CB50

Function 009B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009B4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009B4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009B4CEA
_wcslen.LIBCMT ref: 009B4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009B4D10
_wcsstr.LIBVCRUNTIME ref: 009B4D1A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: c4e07058dfd9b813ce2246a8d00d9b51875fb10aa54271b097dcb436086b89eb
Instruction ID: 8ede2469cbbc5cbe6a389b9b4435a1f4eb221f3b20144c80ea85fa83fc8377dc
Opcode Fuzzy Hash: c4e07058dfd9b813ce2246a8d00d9b51875fb10aa54271b097dcb436086b89eb
Instruction Fuzzy Hash: 5E21F972604241BBEB155B39ED49FBB7FACDF85B60F10802DF849CE193DA65DC01A6A0

Function 009C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00953AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00953A97,?,?,00952E7F,?,?,?,00000000), ref: 00953AC2

_wcslen.LIBCMT ref: 009C587B
CoInitialize.OLE32(00000000), ref: 009C5995
CoCreateInstance.OLE32(009EFCF8,00000000,00000001,009EFB68,?), ref: 009C59AE
CoUninitialize.OLE32 ref: 009C59CC

Strings

.lnk, xrefs: 009C5876, 009C58C1, 009C5985

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 9e82e7d2ead437ba2b93acca17e880c8a1acff92055d146b806ff6fa573db95d
Instruction ID: 848f5eaca17f844b1f0eec87de107249fd3ee3ecb36ec27fa37e076d95777d0d
Opcode Fuzzy Hash: 9e82e7d2ead437ba2b93acca17e880c8a1acff92055d146b806ff6fa573db95d
Instruction Fuzzy Hash: F2D16371A087019FC704DF25C480E2ABBE5EF89714F15899DF88A9B361DB31ED85CB92

Function 009B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009B0FCA
Part of subcall function 009B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009B0FD6
Part of subcall function 009B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009B0FE5
Part of subcall function 009B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009B0FEC
Part of subcall function 009B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009B1002

GetLengthSid.ADVAPI32(?,00000000,009B1335), ref: 009B17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009B17BA
HeapAlloc.KERNEL32(00000000), ref: 009B17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009B17DA
GetProcessHeap.KERNEL32(00000000,00000000,009B1335), ref: 009B17EE
HeapFree.KERNEL32(00000000), ref: 009B17F5

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 75d9fcd4cf8751feae08bec54c18f4f7d6880691f966e071478a692ef4133015
Instruction ID: ee878ca8ff158f289814f5023f7ac2a96842bbf56e916cfe5910b945c9b5a749
Opcode Fuzzy Hash: 75d9fcd4cf8751feae08bec54c18f4f7d6880691f966e071478a692ef4133015
Instruction Fuzzy Hash: D611AC72614205FFDB109FA4CD99BEE7BADEB42365F504018F8819B210CB35AD41DB60

Function 009B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009B14FF
OpenProcessToken.ADVAPI32(00000000), ref: 009B1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009B1515
CloseHandle.KERNEL32(00000004), ref: 009B1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009B154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 009B1563

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e28b9aaf347816c8321d6812ce9485c2dd97b513817e6d3d218f6e43e38d0b6e
Instruction ID: 71a53b65e416cb028f12e94bbd33faa3f599fdbeabb1ed01b469b176ba5c7fa7
Opcode Fuzzy Hash: e28b9aaf347816c8321d6812ce9485c2dd97b513817e6d3d218f6e43e38d0b6e
Instruction Fuzzy Hash: 8A1129B2604249EBDF11CF98DE49BDE7BADEF48754F044025FA45A6060C3768E61EB60

Function 00973382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00973379,00972FE5), ref: 00973390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0097339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009733B7
SetLastError.KERNEL32(00000000,?,00973379,00972FE5), ref: 00973409

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9f8b9309ef4a694da75372cf3c971f2d59297bc82878f1f7b943b3c3d4149e00
Instruction ID: af5b2c6f02874494aa89b34242f9061edad3bce5f9f134dfd27ca895ec70b9b9
Opcode Fuzzy Hash: 9f8b9309ef4a694da75372cf3c971f2d59297bc82878f1f7b943b3c3d4149e00
Instruction Fuzzy Hash: 97012433248711BEE62567B47C86AA72A9DEB49779330C229F418842F1FF114D027244

Function 00982D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00985686,00993CD6,?,00000000,?,00985B6A,?,?,?,?,?,0097E6D1,?,00A18A48), ref: 00982D78
_free.LIBCMT ref: 00982DAB
_free.LIBCMT ref: 00982DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0097E6D1,?,00A18A48,00000010,00954F4A,?,?,00000000,00993CD6), ref: 00982DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0097E6D1,?,00A18A48,00000010,00954F4A,?,?,00000000,00993CD6), ref: 00982DEC
_abort.LIBCMT ref: 00982DF2

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 81a469b0784a54e581f546c0404c665d7792857e503d654bd90a0bfa459f2346
Instruction ID: 109817bfc6067db49afa396e5161870021f15b0f48afff4d9df2164f95bd85ac
Opcode Fuzzy Hash: 81a469b0784a54e581f546c0404c665d7792857e503d654bd90a0bfa459f2346
Instruction Fuzzy Hash: B3F0C87654960137C6127778BC06F5B2A5DAFC27B1F254518F825D73D2EF28DC025360

Function 009E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00969639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00969693
Part of subcall function 00969639: SelectObject.GDI32(?,00000000), ref: 009696A2
Part of subcall function 00969639: BeginPath.GDI32(?), ref: 009696B9
Part of subcall function 00969639: SelectObject.GDI32(?,00000000), ref: 009696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 009E8A4E
LineTo.GDI32(?,00000003,00000000), ref: 009E8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 009E8A70
LineTo.GDI32(?,00000000,00000003), ref: 009E8A80
EndPath.GDI32(?), ref: 009E8A90
StrokePath.GDI32(?), ref: 009E8AA0

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d3a6d0be53776330014672ff86958b1a070907faa216fe835e2a64813f460cdd
Instruction ID: a4c4a55735cf9a76e25d8d6eb64e1e541f6492d58d20d6fe646918bfb3b35588
Opcode Fuzzy Hash: d3a6d0be53776330014672ff86958b1a070907faa216fe835e2a64813f460cdd
Instruction Fuzzy Hash: 94111E7600414CFFDF129F94DC88EAA7F6CEB04355F008021FA599A161C7719D56DF60

Function 009B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009B5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 009B5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009B5230
ReleaseDC.USER32(00000000,00000000), ref: 009B5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 009B524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 009B5261

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0216d2d3dcb744ac48ebe5b2bc454bc3ed2a0ae77d17631e63f62782c82cee2f
Instruction ID: 70f77da14c7ef279cc17beb844388c7ccc99cc3639d726c8b3ad98ec6e28ffb3
Opcode Fuzzy Hash: 0216d2d3dcb744ac48ebe5b2bc454bc3ed2a0ae77d17631e63f62782c82cee2f
Instruction Fuzzy Hash: 6E018FB5A05709BBEF109BE59C89B4EBFB8EB88751F044065FA04AB281D6709C01DBA0

Function 00951BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00951BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00951BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00951C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00951C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00951C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00951C22

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2d81dc2deb03db841c871f1197c86a255fa93e8517f14873a658b7fcb8a811dc
Instruction ID: d1266caf9e0bc77130e509beeac0e653762a08c67d65adc68201d6c676a3738d
Opcode Fuzzy Hash: 2d81dc2deb03db841c871f1197c86a255fa93e8517f14873a658b7fcb8a811dc
Instruction Fuzzy Hash: E50144B0902B5ABDE3008F6A8C85A52FFA8FF19754F00411BA15C4BA42C7B5A864CBE5

Function 009BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009BEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009BEB46
GetWindowThreadProcessId.USER32(?,?), ref: 009BEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009BEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009BEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009BEB75

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3e08248f076385a5e5755752b7212c11ef9bb64b651849de926e1544aeb46e2f
Instruction ID: ecb2f0ad360f0b0f4aeab63418c0dacb31edab8d058e2457c5ace89057803a5d
Opcode Fuzzy Hash: 3e08248f076385a5e5755752b7212c11ef9bb64b651849de926e1544aeb46e2f
Instruction Fuzzy Hash: 21F030B2154199BBE72157529C4DEEF3A7CEFCAF11F000158FA41D5091D7A05E02D6B5

Function 009A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 009A7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 009A7469
GetWindowDC.USER32(?), ref: 009A7475
GetPixel.GDI32(00000000,?,?), ref: 009A7484
ReleaseDC.USER32(?,00000000), ref: 009A7496
GetSysColor.USER32(00000005), ref: 009A74B0

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: ced80e3dfc35c4f21aee98961186d16639a5114211a1018867b203ab094456ad
Instruction ID: 4d842d7c27a6d162d9636c4fcfb3a301b56db589db45ffb53a38e7f2f70784ba
Opcode Fuzzy Hash: ced80e3dfc35c4f21aee98961186d16639a5114211a1018867b203ab094456ad
Instruction Fuzzy Hash: D6018B71418255FFDB509FA4DC49BAABBB6FB08311F100064F966A60B1CB311E42AB50

Function 009B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009B187F
UnloadUserProfile.USERENV(?,?), ref: 009B188B
CloseHandle.KERNEL32(?), ref: 009B1894
CloseHandle.KERNEL32(?), ref: 009B189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009B18A5
HeapFree.KERNEL32(00000000), ref: 009B18AC

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6660ad93cf14820df4a919cdeaf17aa83d6525dac35a9feca2bb41f92319c0ac
Instruction ID: 859f4c4b9e602df8f6797edcf4f95db82bafd9bca6b699148d5e20feafe8fa52
Opcode Fuzzy Hash: 6660ad93cf14820df4a919cdeaf17aa83d6525dac35a9feca2bb41f92319c0ac
Instruction Fuzzy Hash: B2E01AB601C241BFDB015FA1ED4CD0ABF39FF4AB22B108220F66589070CB329822EF50

Function 009BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009BC6EE
_wcslen.LIBCMT ref: 009BC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009BC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009BC7CA

Strings

0, xrefs: 009BC6AF

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 9f09ef07286fe7218e9cf7bd4e8bfc4a795d84dccc085e014d7dc227f2b6b90b
Instruction ID: 1f0804d23046e713bf616f68b01e44121d3da28ed4f7286363ae0c9e237b8e7a
Opcode Fuzzy Hash: 9f09ef07286fe7218e9cf7bd4e8bfc4a795d84dccc085e014d7dc227f2b6b90b
Instruction Fuzzy Hash: 7051D0F16183019BD714DF28CA95BAB77E8AF89320F040A2DF995E31A0DB74DD04CB52

Function 009DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 009DAEA3

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

GetProcessId.KERNEL32(00000000), ref: 009DAF38
CloseHandle.KERNEL32(00000000), ref: 009DAF67

Strings

<, xrefs: 009DAE6B
@, xrefs: 009DAE72

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: bbdae92e384b20e29069dbd9c3545d290b6060d8ee62acfd466360bb6672b5bd
Instruction ID: 227ac1ec3d2e3a2ee37912624736fef153703f959cab6925290baed33196e499
Opcode Fuzzy Hash: bbdae92e384b20e29069dbd9c3545d290b6060d8ee62acfd466360bb6672b5bd
Instruction Fuzzy Hash: 14718A71A00219DFCB14DF95D484A9EBBF4FF48310F04849AE856AB3A2D774EE45CBA1

Function 009B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009B7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009B723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009B724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009B72CF

Strings

DllGetClassObject, xrefs: 009B7242

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 5cb8cfc29f3f080da3e44a1c78c00a18ce5d34b6d3b10f18787683abae2c85ff
Instruction ID: 377bb322911d7c7b374c5cb36f6716366d1cec2aa64d56aa7b4755d9f6b8f230
Opcode Fuzzy Hash: 5cb8cfc29f3f080da3e44a1c78c00a18ce5d34b6d3b10f18787683abae2c85ff
Instruction Fuzzy Hash: 974171B1A04204EFDB15CF94C984ADABBA9EF84320F1485ADBD159F20AD7B0DD45CBA0

Function 009B1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009B1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009B1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 009B1EA9

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

Strings

ListBox, xrefs: 009B1E25
ComboBox, xrefs: 009B1DF0

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 8cefe7c29b763886772cee25c3dac6fef4064cb2c08b66201c02a6e441e4b660
Instruction ID: 375eb6114bad3f9b4cad3708f1b9a119b6f2657c6fc09a8280247882c6ba7ccd
Opcode Fuzzy Hash: 8cefe7c29b763886772cee25c3dac6fef4064cb2c08b66201c02a6e441e4b660
Instruction Fuzzy Hash: 85217771A00104BEDB04ABA1DD96DFFBBBCEF81360B504419FC65A71E1DB388D0A8720

Function 009E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009E2F8D
LoadLibraryW.KERNEL32(?), ref: 009E2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009E2FA9
DestroyWindow.USER32(?), ref: 009E2FB1

Strings

SysAnimate32, xrefs: 009E2F68

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 1404807aee170ab75bd9942c72347c384a596e3511a9858bbec2e3797ac05e9a
Instruction ID: e8412e8f104b0dc6030e5674b27c5e9ff1c2f1db4a0536b76c734d2737b8a299
Opcode Fuzzy Hash: 1404807aee170ab75bd9942c72347c384a596e3511a9858bbec2e3797ac05e9a
Instruction Fuzzy Hash: 0821C072604285ABEB124F66DC81FBB37BDFB59364F100A28F950D6190D771DC519760

Function 00974D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00974D1E,009828E9,?,00974CBE,009828E9,00A188B8,0000000C,00974E15,009828E9,00000002), ref: 00974D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00974DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00974D1E,009828E9,?,00974CBE,009828E9,00A188B8,0000000C,00974E15,009828E9,00000002,00000000), ref: 00974DC3

Strings

mscoree.dll, xrefs: 00974D86
CorExitProcess, xrefs: 00974D98

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6d8b8cb742dcc3cf26fb2a67a29c6df123e158968f318e2cae7b08567dc0a39e
Instruction ID: de233ef61719d30299ce8c582abfb56da8342175d5b54c869373c3e3abbd5a0a
Opcode Fuzzy Hash: 6d8b8cb742dcc3cf26fb2a67a29c6df123e158968f318e2cae7b08567dc0a39e
Instruction Fuzzy Hash: ECF06275A54308BBDB119F90DC49BEDBFB9EF84752F0040A8F949A62A1DB30AD41DB90

Function 00954E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00954EDD,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00954EAE
FreeLibrary.KERNEL32(00000000,?,?,00954EDD,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00954EA8
kernel32.dll, xrefs: 00954E94

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: be2212f92a267e9a66127e02551b50c682b27c71d4a7a843b40949c3357c451e
Instruction ID: 6dbc4feb8a200a014b8157f21597533f174d4d7895dbcbdedda13492c4542f71
Opcode Fuzzy Hash: be2212f92a267e9a66127e02551b50c682b27c71d4a7a843b40949c3357c451e
Instruction Fuzzy Hash: 11E0CD76E196225FD3725B266C1DB5F655CAFC2F677050115FC40D7100DB60CD4B91A0

Function 00954E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00993CDE,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00954E74
FreeLibrary.KERNEL32(00000000,?,?,00993CDE,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00954E6E
kernel32.dll, xrefs: 00954E5B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 025f50d6a0fb54c43a4f691e0b31e1de92e023fe04c537d2c00ad73c9d75bdbf
Instruction ID: cd5fc089894a196fe3a339bacb3f7e9a4cdb3ac452ec2f29d906931b0672da87
Opcode Fuzzy Hash: 025f50d6a0fb54c43a4f691e0b31e1de92e023fe04c537d2c00ad73c9d75bdbf
Instruction Fuzzy Hash: 95D0C23291A6616B4A621B267C09D8B2A1CAF81F2A3050514BC41A6110CF20CD4AD2D1

Function 009DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 009DA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009DA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 009DA468
CloseHandle.KERNEL32(?), ref: 009DA63D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 4d63745f92e484a392591f71fb7638e1f43873c503033b1eddfb55835c957314
Instruction ID: 857a90c2d26fa639759dc059d3708daa7f8ba1fc90b3a6af05eac08582294eb1
Opcode Fuzzy Hash: 4d63745f92e484a392591f71fb7638e1f43873c503033b1eddfb55835c957314
Instruction Fuzzy Hash: 06A1AFB16043009FD720DF25D886F2AB7E5AF84714F14885DF99A9B392DBB0EC45CB82

Function 0098BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009F3700), ref: 0098BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00A2121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0098BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00A21270,000000FF,?,0000003F,00000000,?), ref: 0098BC36
_free.LIBCMT ref: 0098BB7F

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 0098BD4B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: adc4b2b7fb1cdfaeee76ddd8498c90169d4f09fdb6900a26aa1f59469272ce8d
Instruction ID: b0599a9bba1d367d40407c2af1cef116808d9a31d8d40476db0827ff0bdbd44a
Opcode Fuzzy Hash: adc4b2b7fb1cdfaeee76ddd8498c90169d4f09fdb6900a26aa1f59469272ce8d
Instruction Fuzzy Hash: 8F51B871904209EFCB20FFA99C81ABEB7BCAF94310B18467AF554D7391EB309E428750

Function 009BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009BCF22,?), ref: 009BDDFD

Part of subcall function 009BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009BCF22,?), ref: 009BDE16

Part of subcall function 009BE199: GetFileAttributesW.KERNEL32(?,009BCF95), ref: 009BE19A

lstrcmpiW.KERNEL32(?,?), ref: 009BE473
MoveFileW.KERNEL32(?,?), ref: 009BE4AC
_wcslen.LIBCMT ref: 009BE5EB
_wcslen.LIBCMT ref: 009BE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 009BE650

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: fa11782bfa111dc524b5aaeebbdf469071382de413a72793ac1916d9949eb41b
Instruction ID: 800d3c690db677b67066aeb1af3cd38321d3b2539bfe5016638e423dfed3487c
Opcode Fuzzy Hash: fa11782bfa111dc524b5aaeebbdf469071382de413a72793ac1916d9949eb41b
Instruction Fuzzy Hash: 0B5172B24083859BD724DBA4D881ADB73EDAFC4350F00492EF689D3191EF74A68C8766

Function 009DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DC9F1
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA68
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009DBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009DBB63
RegCloseKey.ADVAPI32(?,?), ref: 009DBBA6
RegCloseKey.ADVAPI32(00000000), ref: 009DBBB3

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 3f1f0e41db2a91c24f348120657c671e026394a49c18236715e31f0cae09f5dc
Instruction ID: 8efe4e5d6d593f75bb6cf27340d4b3d90fd09c6f71f9a6547657751cf6786fde
Opcode Fuzzy Hash: 3f1f0e41db2a91c24f348120657c671e026394a49c18236715e31f0cae09f5dc
Instruction Fuzzy Hash: 1661AD71208241EFD714DF14C490E2ABBE9FF84308F55895EF4998B2A2DB35ED46CB92

Function 009B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009B8BCD
VariantClear.OLEAUT32 ref: 009B8C3E
VariantClear.OLEAUT32 ref: 009B8C9D
VariantClear.OLEAUT32(?), ref: 009B8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009B8D3B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a621c28d63fd94a5d562bed244e828532d5769f88a6f1a266cfa8584180fd3a8
Instruction ID: 9068806f475d322d1b7631621551949dee93f453217d267a5029cc4913b65354
Opcode Fuzzy Hash: a621c28d63fd94a5d562bed244e828532d5769f88a6f1a266cfa8584180fd3a8
Instruction Fuzzy Hash: E4516AB5A10219EFCB10CF68C894AAAB7F9FF8D310B15855AE949DB350E730E911CF90

Function 009C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009C8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 009C8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009C8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009C8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009C8C5F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 5ddc2db426f62141c0ea6d457caaf435c1892553c899962539770e53892cec3a
Instruction ID: 830da4ee1dfe8c13bc00d61f5f3a6cf175399bdaef2bb0096550af3b143c9ed8
Opcode Fuzzy Hash: 5ddc2db426f62141c0ea6d457caaf435c1892553c899962539770e53892cec3a
Instruction Fuzzy Hash: 78516A75A00214AFCB05DF65C880E6EBBF5FF88314F088458E849AB362DB31ED56CB91

Function 009D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 009D8F40
GetProcAddress.KERNEL32(00000000,?), ref: 009D8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 009D8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 009D9032
FreeLibrary.KERNEL32(00000000), ref: 009D9052

Part of subcall function 0096F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,009C1043,?,76D1E610), ref: 0096F6E6
Part of subcall function 0096F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,009AFA64,00000000,00000000,?,?,009C1043,?,76D1E610,?,009AFA64), ref: 0096F70D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f8f4836f84d71ab2ae9cb506d5dfa8408ac7848a5f8ed4f24179a8c8eec9710a
Instruction ID: 060d274c6b59b82fc3abef47aec04c8286047aa9914f387ea8f0a635afb0a84f
Opcode Fuzzy Hash: f8f4836f84d71ab2ae9cb506d5dfa8408ac7848a5f8ed4f24179a8c8eec9710a
Instruction Fuzzy Hash: 06516C34604205DFC705EF68C4949ADBBF5FF89314B04C0A9E80A9B362DB31ED8ACB90

Function 009E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 009E6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 009E6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 009E6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,009CAB79,00000000,00000000), ref: 009E6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 009E6CC7

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 34f4bd17510f6e2cef2f16e1a1548a9badf201afb6c9e24cdc8433fae71f55c7
Instruction ID: 23a0ce3622a25c98507e393d63187ba7f4c45f4bfbe6501a76e6e16e206edba1
Opcode Fuzzy Hash: 34f4bd17510f6e2cef2f16e1a1548a9badf201afb6c9e24cdc8433fae71f55c7
Instruction Fuzzy Hash: 4141E635A04184AFD726CF6ACC95FB57BA9EB19390F240628FED5A72E0C371AD41DA40

Function 00982051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009820C3
_free.LIBCMT ref: 009820E3

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a5d8309b955d17ca76c6d9459d2b673a10c455daa5bc84442662bbbd46212ba7
Instruction ID: 7f06820ce8a0c8ecdf195aaa98c58ac9ca126ac3c6b0b9fdf5e851e8ff7f5904
Opcode Fuzzy Hash: a5d8309b955d17ca76c6d9459d2b673a10c455daa5bc84442662bbbd46212ba7
Instruction Fuzzy Hash: 0A41F672A002009FCB24EF78C885A5DB7F5EF89314F258569E515EB392D731ED01CB80

Function 0096912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00969141
ScreenToClient.USER32(00000000,?), ref: 0096915E
GetAsyncKeyState.USER32(00000001), ref: 00969183
GetAsyncKeyState.USER32(00000002), ref: 0096919D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 73665da747a09d9513db2b427302e1d03da00415da60a0a8713c1e2d2e00f27d
Instruction ID: 22d79e8636dc816252bbd6e9802c50458d806b61bb2dfd7478758516ca45cd42
Opcode Fuzzy Hash: 73665da747a09d9513db2b427302e1d03da00415da60a0a8713c1e2d2e00f27d
Instruction Fuzzy Hash: D1417F71A0C60AFBDF059FA8C844BEEF7B8FB46320F208615E465A7290C7346D54DB91

Function 009C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009C38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 009C3922
TranslateMessage.USER32(?), ref: 009C394B
DispatchMessageW.USER32(?), ref: 009C3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009C3966

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: a41423d4cad1daff0daeeb5dbc42942b61571d163c9e4b73e550354c5898440b
Instruction ID: 9d8eab7f5455eb7a23c5e2e32facf0c3fe1a53bf99d4e812bc26d6c318a2f0ff
Opcode Fuzzy Hash: a41423d4cad1daff0daeeb5dbc42942b61571d163c9e4b73e550354c5898440b
Instruction Fuzzy Hash: 52319770D08382DFEB35CB799848FB637ACAB15304F04C57DE452961A0E7B59A86DB13

Function 009CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 009CCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 009CCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,009CC21E,00000000), ref: 009CCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,009CC21E,00000000), ref: 009CCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,009CC21E,00000000), ref: 009CCFF2

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: f2bce5427fffe5c3aa6e7c14f722cc37be6f1c29516200703f9f60daa946dcc3
Instruction ID: 7c81a07f1a47cea87859abb6f52f5e842be5810dabcc569790ffb6efa80ad853
Opcode Fuzzy Hash: f2bce5427fffe5c3aa6e7c14f722cc37be6f1c29516200703f9f60daa946dcc3
Instruction Fuzzy Hash: 743147B1A04205AFDB20DFA5D884FAABFFEEB14351B10442EF55AD6241DB30EE419B61

Function 009B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009B1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009B19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009B19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009B19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009B19E2

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 0efc7c65c23ee538380fb460c5ce249088f822f9345a40d57596f053b75c1372
Instruction ID: de6f979d617bf279fecd6f408893d3ab0efb739dd06e52f8a2997f4b59782837
Opcode Fuzzy Hash: 0efc7c65c23ee538380fb460c5ce249088f822f9345a40d57596f053b75c1372
Instruction Fuzzy Hash: 4631D171A00259EFCB04CFA8DEA9ADE3BB5EB45325F104229F961EB2D1C7709D44DB90

Function 009E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 009E5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 009E579D
_wcslen.LIBCMT ref: 009E57AF
_wcslen.LIBCMT ref: 009E57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 009E5816

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9a09c93ba756f415d1f148cd4c29767aefa75522e9e93b34931e58e9d7c2716f
Instruction ID: a69fbb205450a3ae857644aa4362fbebb4aa1a6576e20cc4e22c6508ea7bb263
Opcode Fuzzy Hash: 9a09c93ba756f415d1f148cd4c29767aefa75522e9e93b34931e58e9d7c2716f
Instruction Fuzzy Hash: D321D571904698DADB219FA2CC84AEE77BCFF40728F108216E919EB1C1E7708D81CF50

Function 009D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009D0951
GetForegroundWindow.USER32 ref: 009D0968
GetDC.USER32(00000000), ref: 009D09A4
GetPixel.GDI32(00000000,?,00000003), ref: 009D09B0
ReleaseDC.USER32(00000000,00000003), ref: 009D09E8

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4ff9f2403d9d596fa785c4b9dd808543ec99e7b87acb1435266cddcf6c630879
Instruction ID: 32d2dfb84e163566aafcc2d17fddb3b82241a851c6166d08d495cb8ac1fbae48
Opcode Fuzzy Hash: 4ff9f2403d9d596fa785c4b9dd808543ec99e7b87acb1435266cddcf6c630879
Instruction Fuzzy Hash: 7D21A475A00204AFD704EF65D884B5EB7E5EF84740F00842DF886D7352DB30AC05DB50

Function 0098CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0098CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0098CDE9

Part of subcall function 00983820: RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0098CE0F
_free.LIBCMT ref: 0098CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0098CE31

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 646e21524295e8951c2fe286ff1c7fca8b0242a73cf1797756026484c068ca64
Instruction ID: 63b3b1dfd7c2f8675832e932454fb5348285cdfe484b22493e836da078c3f33b
Opcode Fuzzy Hash: 646e21524295e8951c2fe286ff1c7fca8b0242a73cf1797756026484c068ca64
Instruction Fuzzy Hash: 2301F7F26052557FA32136B66C8CD7B7A6DEFC6BA13154129FD05C7302EA718D0293B0

Function 00969639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00969693
SelectObject.GDI32(?,00000000), ref: 009696A2
BeginPath.GDI32(?), ref: 009696B9
SelectObject.GDI32(?,00000000), ref: 009696E2

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5fadd54578c344cc01f196d10c68e39577c6dbff354c07bc82d5b9426af69ab1
Instruction ID: ffaa632bb975c0ef5f67db03a22237f45f1a7ab8c8296ffea9b388cd6c304d1f
Opcode Fuzzy Hash: 5fadd54578c344cc01f196d10c68e39577c6dbff354c07bc82d5b9426af69ab1
Instruction Fuzzy Hash: 9F2180B0816345EBDF21DFA8EC497B97BACBB61355F100226F420A61B0D3705893DF90

Function 009B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 009B5726
_memcmp.LIBVCRUNTIME ref: 009B5744
_memcmp.LIBVCRUNTIME ref: 009B5757
_memcmp.LIBVCRUNTIME ref: 009B576F
_memcmp.LIBVCRUNTIME ref: 009B5787

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7c3b46483999486ec9e1d9a6c8d356633bd975434a79c0b38ac6b09eae0db9c2
Instruction ID: a947b80bbebeec159fed2ea8ac0aeaa337f82ac48bce20c324a72657327932c2
Opcode Fuzzy Hash: 7c3b46483999486ec9e1d9a6c8d356633bd975434a79c0b38ac6b09eae0db9c2
Instruction Fuzzy Hash: B401B572741609BBE20955159FD2FFB735C9BA13BCF254021FD0C9A241FB60EE1182A0

Function 0096990E Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009698CC
SetTextColor.GDI32(?,?), ref: 009698D6
SetBkMode.GDI32(?,00000001), ref: 009698E9
GetStockObject.GDI32(00000005), ref: 009698F1
GetWindowLongW.USER32(?,000000EB), ref: 00969952

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 9986395efb0f7ced439f67a94e6e0bdf0be23390c8387c2126dffe4df5616b6f
Instruction ID: afe55ad672d3fe431c6af845ae73b2b943955d58c4012ff7725fee7006c33162
Opcode Fuzzy Hash: 9986395efb0f7ced439f67a94e6e0bdf0be23390c8387c2126dffe4df5616b6f
Instruction Fuzzy Hash: CA1138316492509BC7218B74EC99AFA3B6CEB56335F08021DF1E24E1E1CB310C82DB50

Function 00982DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0097F2DE,00983863,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6), ref: 00982DFD
_free.LIBCMT ref: 00982E32
_free.LIBCMT ref: 00982E59
SetLastError.KERNEL32(00000000,00951129), ref: 00982E66
SetLastError.KERNEL32(00000000,00951129), ref: 00982E6F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 40ed95061e8bfaf40be0c3b1311451838ef70dfa03c4ca7e537e5634282c55b2
Instruction ID: ccf26208bd827aaaabef631b40ea65a56dfc45b58f849986375870ced529adc4
Opcode Fuzzy Hash: 40ed95061e8bfaf40be0c3b1311451838ef70dfa03c4ca7e537e5634282c55b2
Instruction Fuzzy Hash: 290128722456007BC61277786C89E6B265DAFC17B1B218538F865E33D3EF38CC025324

Function 009B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?,?,009B035E), ref: 009B002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?), ref: 009B0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0070

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: fa63ba14cf84da2947fac34bcf922a4525fdc5c78aaeb56f0637bdf84b0198f7
Instruction ID: 21a35fbe64f393b6c83654f259b74fb2bbce1767a18bb158a400d5b85f256eff
Opcode Fuzzy Hash: fa63ba14cf84da2947fac34bcf922a4525fdc5c78aaeb56f0637bdf84b0198f7
Instruction Fuzzy Hash: 4701F2B2614208BFDB115F68DE44BEB7AEDEF843A1F104024F845D6210D770CD00DBA0

Function 009BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 009BE997
QueryPerformanceFrequency.KERNEL32(?), ref: 009BE9A5
Sleep.KERNEL32(00000000), ref: 009BE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 009BE9B7
Sleep.KERNEL32 ref: 009BE9F3

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f127f6114421daefa7af05156c2e68c265b6f94208434e12e8323ea89ed91861
Instruction ID: 01e4077231e59c94ddf9cceeb162ff816a5dc6d12632b37ec3275d1992b46382
Opcode Fuzzy Hash: f127f6114421daefa7af05156c2e68c265b6f94208434e12e8323ea89ed91861
Instruction Fuzzy Hash: CD015B71C0592DDBCF009FE5D999ADDBB7CBB09321F000546E542B2241CB3499599BA1

Function 009B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B114D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 256aaaedfbeb82a049dbdaac0c17f86f5bf8bec61aacee08478ad995cf09faac
Instruction ID: c6bcadc0d6a03f8e48e5eb6b805fe0634ecd86504e63affff97d13e527f20330
Opcode Fuzzy Hash: 256aaaedfbeb82a049dbdaac0c17f86f5bf8bec61aacee08478ad995cf09faac
Instruction Fuzzy Hash: EB0131B5114205BFDB114F69DC99EAA3F6EEF86360B504419FA85D7350DB31DC019A60

Function 009B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009B0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009B0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009B0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009B0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009B1002

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f05ad00e40066b9842b9eca7ee6a08eadd05ca096655dfba9a6abbee256db956
Instruction ID: 0804f5e99a2ab756aa19820a50659d30f95bb54c1c4248e3ab4a86af08ec0254
Opcode Fuzzy Hash: f05ad00e40066b9842b9eca7ee6a08eadd05ca096655dfba9a6abbee256db956
Instruction Fuzzy Hash: D9F0CDB5204345EBDB211FA4DC8DF963BADEF8AB62F500414FE85CB261CA30DC419A60

Function 009B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009B102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009B1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009B104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B1062

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ed6a8ed819899519e57ab96ac0ce4f3ff2880c102a2848ce0859044a5d521234
Instruction ID: 4f6c17e37a9c33467c3adf94fb7e7cf27f3922e5afba0b8d4561c244c3f7f7b4
Opcode Fuzzy Hash: ed6a8ed819899519e57ab96ac0ce4f3ff2880c102a2848ce0859044a5d521234
Instruction Fuzzy Hash: 1CF06DB5214341EBDB216FA4ED99F963BADEF8A761F500414FE85CB250CA70DC419A60

Function 009C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C0324
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C0331
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C033E
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C034B
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C0358
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C0365

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8e484e3f16f848a6a721b34c936da22d0934e026b79e2aa63e398d9940b42c48
Instruction ID: 790dc4bf0bd8005f8a3573ea2665a2b0f2c13ea121e77323412af889c195302a
Opcode Fuzzy Hash: 8e484e3f16f848a6a721b34c936da22d0934e026b79e2aa63e398d9940b42c48
Instruction Fuzzy Hash: A201AA72800B95DFCB30AF66D880912FBF9BFA03153158A3FD19652931C3B1A999DF81

Function 0098D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0098D752

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 0098D764
_free.LIBCMT ref: 0098D776
_free.LIBCMT ref: 0098D788
_free.LIBCMT ref: 0098D79A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ad613903ad94527b8d93ae7ed26ed30960038637a417c4a4faa7caa24a95c78f
Instruction ID: 5e50de6e85756dda308bd60040127384b96b03c9dfc96df96a32a158cac9fcb7
Opcode Fuzzy Hash: ad613903ad94527b8d93ae7ed26ed30960038637a417c4a4faa7caa24a95c78f
Instruction Fuzzy Hash: 01F05B72545204ABC621FBA8FAC5D5677EDBB447207954C05F049D7741C735FC818774

Function 009B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 009B5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 009B5C6F
MessageBeep.USER32(00000000), ref: 009B5C87
KillTimer.USER32(?,0000040A), ref: 009B5CA3
EndDialog.USER32(?,00000001), ref: 009B5CBD

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6cb15b7895f277e8bb56863cb8791cf20cd06ba3648ec0e637533062f841a4b2
Instruction ID: 9e6128bd5f2a882a1d23eab9fd3e017cec58345bb87d3d6256b1e768e8eba107
Opcode Fuzzy Hash: 6cb15b7895f277e8bb56863cb8791cf20cd06ba3648ec0e637533062f841a4b2
Instruction Fuzzy Hash: 67018170514B44ABEB205B10DE8EFE67BB9BB04B05F010559A5C3A50E1DBF4AD899B90

Function 009822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009822BE

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 009822D0
_free.LIBCMT ref: 009822E3
_free.LIBCMT ref: 009822F4
_free.LIBCMT ref: 00982305

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: eac4bc985685cf8b2251fa8d4c00cf46028345aa6f9912c2b9d87ff2c87a8379
Instruction ID: 1a908c25e4506e57d58de6312acd57c138d4a388494c624caf83b8416a77e5cc
Opcode Fuzzy Hash: eac4bc985685cf8b2251fa8d4c00cf46028345aa6f9912c2b9d87ff2c87a8379
Instruction Fuzzy Hash: 89F05E708801208BC632FFDCBE41DA83B68F728760702056AF410D23B2C7361853AFE4

Function 009695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009695D4
StrokeAndFillPath.GDI32(?,?,009A71F7,00000000,?,?,?), ref: 009695F0
SelectObject.GDI32(?,00000000), ref: 00969603
DeleteObject.GDI32 ref: 00969616
StrokePath.GDI32(?), ref: 00969631

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1802959ae11ca2508268c9de0d17e699ae29b6da55bc025872ed64367742fecc
Instruction ID: b4c0741466405faec528d4f6d8ff42a0b1e8041bbc250e1400ae258e9dea3e43
Opcode Fuzzy Hash: 1802959ae11ca2508268c9de0d17e699ae29b6da55bc025872ed64367742fecc
Instruction Fuzzy Hash: B0F0C971019388EBDB269FA9ED58B743B69AB12322F448224F865590F0C7348997EF20

Function 00980F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009810F9
__freea.LIBCMT ref: 00981117

Part of subcall function 00981537: _free.LIBCMT ref: 0098154F

Strings

a/p, xrefs: 009811DE
am/pm, xrefs: 0098117A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: b0e66bc0b99b966db787791e679ed5613ce7a83e278d61bf8064c1f1c473fc12
Instruction ID: 0d7f6a33c136344d748fd6fe6a30e05012c165086366e24322abd075e22e52b0
Opcode Fuzzy Hash: b0e66bc0b99b966db787791e679ed5613ce7a83e278d61bf8064c1f1c473fc12
Instruction Fuzzy Hash: 36D1F331904206CBCB28BF68C849BFEB7BCEF46700F24455AE9169B751D3799D82CB91

Function 009D7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00970242: EnterCriticalSection.KERNEL32(00A2070C,00A21884,?,?,0096198B,00A22518,?,?,?,009512F9,00000000), ref: 0097024D
Part of subcall function 00970242: LeaveCriticalSection.KERNEL32(00A2070C,?,0096198B,00A22518,?,?,?,009512F9,00000000), ref: 0097028A

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009700A3: __onexit.LIBCMT ref: 009700A9

__Init_thread_footer.LIBCMT ref: 009D7BFB

Part of subcall function 009701F8: EnterCriticalSection.KERNEL32(00A2070C,?,?,00968747,00A22514), ref: 00970202
Part of subcall function 009701F8: LeaveCriticalSection.KERNEL32(00A2070C,?,00968747,00A22514), ref: 00970235

Strings

Variable must be of type 'Object'., xrefs: 009D7C3A
5, xrefs: 009D7C78
G, xrefs: 009D7C7F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 10b7a6fc61601571d21555569a7dd9215a67f1caac61a324272393dd37b0c62b
Instruction ID: 95131477226f81b88daa80e4da4e8a92f51dccf096df7b96e73c3b576be220a6
Opcode Fuzzy Hash: 10b7a6fc61601571d21555569a7dd9215a67f1caac61a324272393dd37b0c62b
Instruction Fuzzy Hash: C2918C70A44209EFCB14EF94D891AADB7B6BF85300F10C45AF8466B392EB31AE45CB51

Function 009B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009B21D0,?,?,00000034,00000800,?,00000034), ref: 009BB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009B2760

Part of subcall function 009BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 009BB3F8

Part of subcall function 009BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 009BB355
Part of subcall function 009BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009B2194,00000034,?,?,00001004,00000000,00000000), ref: 009BB365
Part of subcall function 009BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009B2194,00000034,?,?,00001004,00000000,00000000), ref: 009BB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009B27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009B281A

Strings

@, xrefs: 009B2832

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 0fef3130b7f6cf2b528625d1e6d0e5ecd0534a497dcbefe919e5de7f315fd19b
Instruction ID: 6d79b91d70858c84c21051acf32d8ba31859e73423fd4f3641f38e1d1d716eda
Opcode Fuzzy Hash: 0fef3130b7f6cf2b528625d1e6d0e5ecd0534a497dcbefe919e5de7f315fd19b
Instruction Fuzzy Hash: F4414B72900218AFDB10DFA4CD85BEEBBB8EF49710F104099FA55B7191DB706E45CBA0

Function 0098172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Offer 2024-30496.exe,00000104), ref: 00981769
_free.LIBCMT ref: 00981834
_free.LIBCMT ref: 0098183E

Strings

C:\Users\user\Desktop\Offer 2024-30496.exe, xrefs: 00981760, 00981767, 00981796, 009817CE

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Offer 2024-30496.exe
API String ID: 2506810119-585436263
Opcode ID: 8efb17bea0fe52246f89eedbafb27657ad412dabe484eea9f5c01bb9795e6418
Instruction ID: 2efeb0fc147fd98cb8c0847ce5de7489eec804ed90176c6d6050db7a4b4e1e90
Opcode Fuzzy Hash: 8efb17bea0fe52246f89eedbafb27657ad412dabe484eea9f5c01bb9795e6418
Instruction Fuzzy Hash: 11315E75A04218EBDB21EB999885EAEBBFCEB95710B1441BAF804D7311D6709E42CB90

Function 009BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009BC306
DeleteMenu.USER32(?,00000007,00000000), ref: 009BC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A21990,012D5CD8), ref: 009BC395

Strings

0, xrefs: 009BC2DF

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 85c84cd92944fe683bca21b38d3db65ab25f0773d63ed11de172671b53bf7124
Instruction ID: 68e74bb7b69a1ae3d48d996ff36581bfe17a03cdbfdecfc278985e7b655e2184
Opcode Fuzzy Hash: 85c84cd92944fe683bca21b38d3db65ab25f0773d63ed11de172671b53bf7124
Instruction Fuzzy Hash: DB41B0B12083419FD720DF25D984F9ABBE8AFC5321F048A1EF9A5972D1D770E904CB62

Function 009E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009ECC08,00000000,?,?,?,?), ref: 009E44AA
GetWindowLongW.USER32 ref: 009E44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E44D7

Strings

SysTreeView32, xrefs: 009E447C

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 310d2d5c9cf151a36f4168f6432872ef3c0af92d816a2ce1e47ef9ac7a64797a
Instruction ID: 8b27dce08c2dde75113ff6d9a8e4926a4bbae2852031a435003ca1d0bedc2b35
Opcode Fuzzy Hash: 310d2d5c9cf151a36f4168f6432872ef3c0af92d816a2ce1e47ef9ac7a64797a
Instruction Fuzzy Hash: A831CB71210285AFDB228F39DC85BEB7BA9EB48334F204724F979921E0DB70EC519B50

Function 009D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,009D3077,?,?), ref: 009D3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009D307A
_wcslen.LIBCMT ref: 009D309B
htons.WSOCK32(00000000,?,?,00000000), ref: 009D3106

Strings

255.255.255.255, xrefs: 009D3095, 009D309A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 7fa85e68c536b62b376d35a9f94705cb41588eb6c0c2c51b7131c9e4e2dba6c1
Instruction ID: a40f9cf8823beb9699304a99167341b2f2d9c61abd0e2a90eab690ef88574a4b
Opcode Fuzzy Hash: 7fa85e68c536b62b376d35a9f94705cb41588eb6c0c2c51b7131c9e4e2dba6c1
Instruction Fuzzy Hash: 7231F339204202DFCB10CF68C586EAA77E4EF54319F24C05AE9158F392CB32EE45C762

Function 009E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009E4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009E4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009E471A

Strings

msctls_updown32, xrefs: 009E4684

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b0d49a3c0ed4ea895692cae10e8fe43d35d10d3967a1214243237dc5d83166b9
Instruction ID: 64e95c324e9f2a5961fb10df55630ab6ff75564a290d46b78d17127857700c39
Opcode Fuzzy Hash: b0d49a3c0ed4ea895692cae10e8fe43d35d10d3967a1214243237dc5d83166b9
Instruction Fuzzy Hash: 222160B5600249AFDB11DF69DCC1DB737ADEB9A7A4B040459FA009B351CB31EC52DBA0

Function 009B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009B961D

Strings

#OnAutoItStartRegister, xrefs: 009B95F3
#notrayicon, xrefs: 009B95B7
#requireadmin, xrefs: 009B95D9

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: e56636763bd79b2f80cfe3917d9b2bc436147dca0261d99d74b9c65c2dbe5aa8
Instruction ID: 6f124b7b286b63a5095258108178e807f1c670cb67b33dc59b2d81ebda15765e
Opcode Fuzzy Hash: e56636763bd79b2f80cfe3917d9b2bc436147dca0261d99d74b9c65c2dbe5aa8
Instruction Fuzzy Hash: 64213832164210A6C331AA259E16FFBB39C9FD1320F148426FE499B041EB959E45C395

Function 009E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009E3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009E3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009E3876

Strings

Listbox, xrefs: 009E380F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8ab8a0b19e17be87fe47bd836e157dc61d97deee1748a465768d2da7eec51e93
Instruction ID: 4d0668d20d5932726495416fe93e57b5e6906029a7635813ff15c6f78267eba6
Opcode Fuzzy Hash: 8ab8a0b19e17be87fe47bd836e157dc61d97deee1748a465768d2da7eec51e93
Instruction Fuzzy Hash: 48219272610158BBEF228F66CC85FBB376EEF89754F108124F9449B190C672DC52C7A0

Function 009C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009C4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009C4A5C
SetErrorMode.KERNEL32(00000000,?,?,009ECC08), ref: 009C4AD0

Strings

%lu, xrefs: 009C4A6F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 645a747a6c3b3d17c6c0e157284f2c43091f45e4ee407143a36494956ff3443b
Instruction ID: 3bcf730dbbd1fc1bac279501125d31c21d1bb23a8b31cfe6d813c83f315f9072
Opcode Fuzzy Hash: 645a747a6c3b3d17c6c0e157284f2c43091f45e4ee407143a36494956ff3443b
Instruction Fuzzy Hash: C4314C71A00109AFDB10DF64C885EAA7BF8EF49308F1480A9F949DB252D771EE46CB61

Function 009E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009E424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009E4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009E4271

Strings

msctls_trackbar32, xrefs: 009E4226

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 47d724fbfbfe90752fd5f34a991218bdf09086cec358de59c60fe1e0585a859a
Instruction ID: 5b786809c3fef6584de9428f829578d88314d8e83740b12ffe1df743173d8031
Opcode Fuzzy Hash: 47d724fbfbfe90752fd5f34a991218bdf09086cec358de59c60fe1e0585a859a
Instruction Fuzzy Hash: E5110631240288BEEF219F7ACC46FAB3BACEF99B64F010524FA55E61D0D271DC619B10

Function 009B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

Part of subcall function 009B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009B2DC5
Part of subcall function 009B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 009B2DD6
Part of subcall function 009B2DA7: GetCurrentThreadId.KERNEL32 ref: 009B2DDD
Part of subcall function 009B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009B2DE4

GetFocus.USER32 ref: 009B2F78

Part of subcall function 009B2DEE: GetParent.USER32(00000000), ref: 009B2DF9

GetClassNameW.USER32(?,?,00000100), ref: 009B2FC3
EnumChildWindows.USER32(?,009B303B), ref: 009B2FEB

Strings

%s%d, xrefs: 009B2FFF

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a15c8e4ad9d4f4a3210b266bd6a215743c51f3b89c681a01f4642f899649474a
Instruction ID: 62e30b2ea19f6bbd9007937c124eea5c05f6dad134c16db6cc1898c394317489
Opcode Fuzzy Hash: a15c8e4ad9d4f4a3210b266bd6a215743c51f3b89c681a01f4642f899649474a
Instruction Fuzzy Hash: 1511A2B1600209ABCF14BF719DC5FEE376AAFD4314F048075BD09AB192DE74994A9B60

Function 009E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009E58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009E58EE
DrawMenuBar.USER32(?), ref: 009E58FD

Strings

0, xrefs: 009E588F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 04bcedc2ef0ac223c4337b8d4bf05f3d296b045ed52830b9e2d32b91bd679078
Instruction ID: 996673d718f860dfa2bccf2334d64c7e575d2f87416539d6281abd380dbb71f8
Opcode Fuzzy Hash: 04bcedc2ef0ac223c4337b8d4bf05f3d296b045ed52830b9e2d32b91bd679078
Instruction Fuzzy Hash: 83016171514258EFDB129F12DC44BEEBBB8FB45364F108099F949DA151DB308E94EF21

Function 009AD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 009AD3BF
FreeLibrary.KERNEL32 ref: 009AD3E5

Strings

X64, xrefs: 009AD2A8
GetSystemWow64DirectoryW, xrefs: 009AD3B9

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: ec7e211588638056159d2dc28c523fcec46404fc7047f0e48a8796f7f6a1b063
Instruction ID: 78ce0dd4ddd88b542089959c104bf101e5582fdf2372280170cb0b8b8a605477
Opcode Fuzzy Hash: ec7e211588638056159d2dc28c523fcec46404fc7047f0e48a8796f7f6a1b063
Instruction Fuzzy Hash: F8F0ABB180B721DBDB7242204C68BAD3328BF12B01B548928FC63F6804EF64CC45C2D2

Function 009B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc551adb686aca235789acdb6fbe673d59042f4d06c31401987958dcf3f3ea41
Instruction ID: af5ef26ab741dc70dd6fad570c0c98ad19a3f89323186498bdd54c89955a25cc
Opcode Fuzzy Hash: bc551adb686aca235789acdb6fbe673d59042f4d06c31401987958dcf3f3ea41
Instruction Fuzzy Hash: CCC14C75A0020AEFDB14CFA8C998BAEB7B9FF88714F108598E515EB251D731ED41CB90

Function 009D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009D3459
CoUninitialize.OLE32 ref: 009D3463
VariantInit.OLEAUT32(?), ref: 009D346E
VariantClear.OLEAUT32(?), ref: 009D371B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: d75b4c9ac2b99374923040ea770fed0fbcf70be1a59c2feb65bed7304e2e9e66
Instruction ID: 5656f8d5f5045ab6847fd0f4673e033ea277eeeb56f0105ee7e40ad125317859
Opcode Fuzzy Hash: d75b4c9ac2b99374923040ea770fed0fbcf70be1a59c2feb65bed7304e2e9e66
Instruction Fuzzy Hash: 4AA138756043009FC700DF69D585A2AB7E9FF88715F04C85AF98A9B362DB30EE05CB92

Function 009B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009EFC08,?), ref: 009B05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009EFC08,?), ref: 009B0608
CLSIDFromProgID.OLE32(?,?,00000000,009ECC40,000000FF,?,00000000,00000800,00000000,?,009EFC08,?), ref: 009B062D
_memcmp.LIBVCRUNTIME ref: 009B064E

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 4945d94b87705e6ef11e64594a533eea8d231cbe7727efd0fb6a2acd920081bf
Instruction ID: 6adb178842a48f3974155fa2a4a52942e66d96f1c9f90d0db12e52c8a87c3b4a
Opcode Fuzzy Hash: 4945d94b87705e6ef11e64594a533eea8d231cbe7727efd0fb6a2acd920081bf
Instruction Fuzzy Hash: C081FA75A00209EFCB14DF98C984EEEB7B9FF89315F204558F516AB250DB71AE06CB60

Function 00991391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009914C0

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f6cf9aaf0edf384882611d8c543609350a998835f900443088be512304c3e015
Instruction ID: 24fdadc6c2e2b11671a337d6c6bf2d8607568531c3f4d49255c05178360ef364
Opcode Fuzzy Hash: f6cf9aaf0edf384882611d8c543609350a998835f900443088be512304c3e015
Instruction Fuzzy Hash: 5B412D36600112ABDF257BFD8C467BE3BA8FF89370F254625F429D72A2E63488415762

Function 009E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(012DEB40,?), ref: 009E62E2
ScreenToClient.USER32(?,?), ref: 009E6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 009E6382

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: a2bd18f7009debf11bd8822e429614760f7dee8a88321e6ded191a7e22889553
Instruction ID: 0edcd59c37f5b2add2c1b73d16392d71bd5ade2fbbb689dbec7b22b97d6b949a
Opcode Fuzzy Hash: a2bd18f7009debf11bd8822e429614760f7dee8a88321e6ded191a7e22889553
Instruction Fuzzy Hash: A1512F74900245EFDF11DF59D880AAE7BB6FF553A0F108169F9559B290D730ED81CB50

Function 009D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 009D1AFD
WSAGetLastError.WSOCK32 ref: 009D1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009D1B8A
WSAGetLastError.WSOCK32 ref: 009D1B94

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 73a8661bc412a0ea3fcfe9e815f5c683affd5d7cbef89d0c493088e46286fe91
Instruction ID: d352efad11f6b703189c3d5d985310a6ac4c2be801a8d0a4fac34035d3840253
Opcode Fuzzy Hash: 73a8661bc412a0ea3fcfe9e815f5c683affd5d7cbef89d0c493088e46286fe91
Instruction Fuzzy Hash: 4841CF75640200AFE720EF24C886F2A77E5AB84718F54C449F95A9F3D2E776ED42CB90

Function 0098B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e16678be49367514da3407087947429be35fffbe8577f3efd090b9ef06303f1
Instruction ID: 07fb62ebc7391f60254556229ab5e00cf0b7b38aaa35c5f696af1cf93e0dce71
Opcode Fuzzy Hash: 9e16678be49367514da3407087947429be35fffbe8577f3efd090b9ef06303f1
Instruction Fuzzy Hash: EB412976A00304BFD724AF78CC42B6ABBE9EBC4710F14852AF556DB7A2D371A9018790

Function 009C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009C5783
GetLastError.KERNEL32(?,00000000), ref: 009C57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009C57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009C57FA

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e3c3bbb2bb074baef249cbf2488afc1ba9e16e7f13e1a9eff30cbbe68508fe30
Instruction ID: e5496e5d68948a6af2c95dade075e08e793c616a31b28babf020d9982acd15b7
Opcode Fuzzy Hash: e3c3bbb2bb074baef249cbf2488afc1ba9e16e7f13e1a9eff30cbbe68508fe30
Instruction Fuzzy Hash: 18412B39600610DFCB11DF55C584B5EBBE6AF89321B198488FC4AAB362DB34FD45CB91

Function 0098D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00976D71,00000000,00000000,009782D9,?,009782D9,?,00000001,00976D71,8BE85006,00000001,009782D9,009782D9), ref: 0098D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0098D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0098D9AB
__freea.LIBCMT ref: 0098D9B4

Part of subcall function 00983820: RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: aa7ef2de713fdb24d76bbd12bf21112b61bde5fd322002b6ec9cdfb43721d776
Instruction ID: 500c1ff10616861bfc904e4ba0b8340ddbb4c7833f8c364fc82ef3b59d704aa5
Opcode Fuzzy Hash: aa7ef2de713fdb24d76bbd12bf21112b61bde5fd322002b6ec9cdfb43721d776
Instruction Fuzzy Hash: EA31C372A0221AABDF25EF65DC45EAE7BA9EB40710F054168FC09D7290E736CD51CB90

Function 009E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 009E5352
GetWindowLongW.USER32(?,000000F0), ref: 009E5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009E53A8

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: cff36b7e4c482a9c9a99a9eb2d52b051fa4e725fefc0a6f02178dedef662352b
Instruction ID: 68fa779114657850a6ee58411913c16aa4626e8f8a24e9a996fbefed1d77ab13
Opcode Fuzzy Hash: cff36b7e4c482a9c9a99a9eb2d52b051fa4e725fefc0a6f02178dedef662352b
Instruction Fuzzy Hash: F8315834A55A88FFEF329F56CC45FE8376AAB043D4F592001FA00861E1C3B49D80EB41

Function 009BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76AAC0D0,?,00008000), ref: 009BABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 009BAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 009BAC74
SendInput.USER32(00000001,?,0000001C,76AAC0D0,?,00008000), ref: 009BACC6

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a125e619bb28092effc6440b0224e0533f5fa3db030132256594758cef8a6599
Instruction ID: 175e382377ba6554378b3f627629b85e582aeb91821ec69b160e910496dbe088
Opcode Fuzzy Hash: a125e619bb28092effc6440b0224e0533f5fa3db030132256594758cef8a6599
Instruction Fuzzy Hash: CD314630A14318AFEF35CB658D097FE7FA9AB89330F04461AE4C0961D1C3788D8197A2

Function 009E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 009E769A
GetWindowRect.USER32(?,?), ref: 009E7710
PtInRect.USER32(?,?,009E8B89), ref: 009E7720
MessageBeep.USER32(00000000), ref: 009E778C

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2b034ebcc283df1b13cfcdf38d1ef74e6c62b5631b3d919774480c62652ddf21
Instruction ID: ab0640240fb78337784817bc96dd1fa4561006c3301235045c295b9e91503c2c
Opcode Fuzzy Hash: 2b034ebcc283df1b13cfcdf38d1ef74e6c62b5631b3d919774480c62652ddf21
Instruction Fuzzy Hash: A141AD34609295EFDB12CFDAC894EA9B7F4FB49704F1540A8E8549B261C732ED82CF91

Function 009E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009E16EB

Part of subcall function 009B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009B3A57
Part of subcall function 009B3A3D: GetCurrentThreadId.KERNEL32 ref: 009B3A5E
Part of subcall function 009B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009B25B3), ref: 009B3A65

GetCaretPos.USER32(?), ref: 009E16FF
ClientToScreen.USER32(00000000,?), ref: 009E174C
GetForegroundWindow.USER32 ref: 009E1752

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 308ec9ac547a5cb99d932f32ff297e8ad7367fa76ccc6e4ab6e2f12be3bc8c40
Instruction ID: 0adf03e11cc49219f9f12e898685bf4f8f9e81c059e5b9605f7909e12df7d980
Opcode Fuzzy Hash: 308ec9ac547a5cb99d932f32ff297e8ad7367fa76ccc6e4ab6e2f12be3bc8c40
Instruction Fuzzy Hash: BB3121B5D00249AFC704EFAAC881DEEB7FDEF88304B548069E855E7251D7319E45CBA0

Function 009BD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009BD501
Process32FirstW.KERNEL32(00000000,?), ref: 009BD50F
Process32NextW.KERNEL32(00000000,?), ref: 009BD52F
CloseHandle.KERNEL32(00000000), ref: 009BD5DC

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: aa087a32a2988908ddc2d7d9a77f86349eae52ff88bd6d0e638d0f11300c80f2
Instruction ID: d751b9f52cad29f37c0a9b832f90fe50627771df250dda521168a645a0e95849
Opcode Fuzzy Hash: aa087a32a2988908ddc2d7d9a77f86349eae52ff88bd6d0e638d0f11300c80f2
Instruction Fuzzy Hash: CB318D711083409FD311EF54C881BAFBBE8EFD9354F14092DF985871A2EB71A949CBA2

Function 009E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

GetCursorPos.USER32(?), ref: 009E9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009A7711,?,?,?,?,?), ref: 009E9016
GetCursorPos.USER32(?), ref: 009E905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009A7711,?,?,?), ref: 009E9094

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5c0adf1e4723ea2590b1b889e9373031e260d6eb07b6bb0c6b5c6f35679f09e7
Instruction ID: 1317cc3ad8a1e68ed36a4777c47974a7cee0bbfeca6c39669bfb55585ec7e2db
Opcode Fuzzy Hash: 5c0adf1e4723ea2590b1b889e9373031e260d6eb07b6bb0c6b5c6f35679f09e7
Instruction Fuzzy Hash: 6621F371201058FFCB268F99CC98EFA3BB9EF8A311F400065F5054B161C7319E91EB60

Function 009BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,009ECB68), ref: 009BD2FB
GetLastError.KERNEL32 ref: 009BD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 009BD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009ECB68), ref: 009BD376

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 65c2090b3b35298021f964443adda5d60a0bd1774e93b5f9a19d5420b9ac7195
Instruction ID: 3065948d63a1f968c8e001ca6c418c46f91c3f24da3024959b01ea7e24c914ed
Opcode Fuzzy Hash: 65c2090b3b35298021f964443adda5d60a0bd1774e93b5f9a19d5420b9ac7195
Instruction Fuzzy Hash: 1421A670509301DF8300DF25C9855AA77E8EF9A368F104A1DF8A5C72A2E731DD4ACB93

Function 009B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009B102A
Part of subcall function 009B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009B1036
Part of subcall function 009B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B1045
Part of subcall function 009B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009B104C
Part of subcall function 009B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009B15BE
_memcmp.LIBVCRUNTIME ref: 009B15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B1617
HeapFree.KERNEL32(00000000), ref: 009B161E

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: bf7896f9f5a33a5f12473878177be307e8a4fd673d2f2b33967f2676fbb2fdc8
Instruction ID: 7875d03e8d86aa21aa1c49ee1c8b3ea723e42010619c6ee6b4d0f0b4ab70b134
Opcode Fuzzy Hash: bf7896f9f5a33a5f12473878177be307e8a4fd673d2f2b33967f2676fbb2fdc8
Instruction Fuzzy Hash: 0F21AF72E00109EFDF14DFA4CA55BEEB7B8EF84364F484459E441AB241E770AE05DBA0

Function 009E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 009E280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009E2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009E2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009E2840

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 1395505f3ba530168d753791a62c164111cc7ea011957bc28b85d9f285fb14f0
Instruction ID: 20ef5f118a336831730a26dc813cecbf9154f8fba5bb7652f38fe1a9159ccd61
Opcode Fuzzy Hash: 1395505f3ba530168d753791a62c164111cc7ea011957bc28b85d9f285fb14f0
Instruction Fuzzy Hash: 4321B631208691AFD715DB25CC45F6A779DAF85324F148158F8168F6D2CB75FC42C790

Function 009B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,009B790A,?,000000FF,?,009B8754,00000000,?,0000001C,?,?), ref: 009B8D8C
Part of subcall function 009B8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 009B8DB2
Part of subcall function 009B8D7D: lstrcmpiW.KERNEL32(00000000,?,009B790A,?,000000FF,?,009B8754,00000000,?,0000001C,?,?), ref: 009B8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,009B8754,00000000,?,0000001C,?,?,00000000), ref: 009B7923
lstrcpyW.KERNEL32(00000000,?), ref: 009B7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,009B8754,00000000,?,0000001C,?,?,00000000), ref: 009B7984

Strings

cdecl, xrefs: 009B797B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1380ccddda59e72387e69e48d1a0bb213cd305b57ca4bd4a56385f814e2be388
Instruction ID: b4e748109d33401fc769985e7d477a89441f9315cff2113a4ba5bed0037ec5fc
Opcode Fuzzy Hash: 1380ccddda59e72387e69e48d1a0bb213cd305b57ca4bd4a56385f814e2be388
Instruction Fuzzy Hash: 4711063A204241AFCB159F74D844EBBB7A9FFC93A0B00412AF842CB2A4EB319811D751

Function 009E7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 009E7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 009E7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009E7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009CB7AD,00000000), ref: 009E7D6B

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 462512d622bf74445e9492a17abed65ccc25bc456bdc9fccc2fda90c6080a206
Instruction ID: eb6a326284119240334d7b88a5720266ec84828c0b6ef093955cb76102f65faf
Opcode Fuzzy Hash: 462512d622bf74445e9492a17abed65ccc25bc456bdc9fccc2fda90c6080a206
Instruction Fuzzy Hash: 4211E431118695AFCB118FA9CC44A767BA9FF45360B154724F835CB2F0D7308D92DB50

Function 009E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009E56BB
_wcslen.LIBCMT ref: 009E56CD
_wcslen.LIBCMT ref: 009E56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 009E5816

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b7df3c270d1e67ba6200d13793b33911bb7fb0cab76deff3a86cd6679461116e
Instruction ID: 859f08266e0b36a5b16e3f681590cb47a81bd32e3beada8b8b518f11799e45c1
Opcode Fuzzy Hash: b7df3c270d1e67ba6200d13793b33911bb7fb0cab76deff3a86cd6679461116e
Instruction Fuzzy Hash: 7D11E47160068996DF219F678C81AEE776CEF10B68F504426F905D6082E7748D80CB60

Function 009B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 009B1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B1A8A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b6713eeb6464d70557613978a444e534d49baeb0d1d49d09006d44ea3592767f
Instruction ID: fef3abc0589885f16f2a78da6ce62a1bb46af01f93be3bd69665fe5461a454b9
Opcode Fuzzy Hash: b6713eeb6464d70557613978a444e534d49baeb0d1d49d09006d44ea3592767f
Instruction Fuzzy Hash: 0411273A901219FFEF109BA4C985FEDBB78EB08760F200091EA00B7290D6716E50DB94

Function 009BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009BE1FD
MessageBoxW.USER32(?,?,?,?), ref: 009BE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009BE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009BE24D

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 99fa637d3e6a75c7e29f69ed11dfdbf6f8883297c90b339bd5f85921118bc2a2
Instruction ID: 7e5829397670177df2a448c0a0ee0352cef103bec2977a113cb51a6e3516efdb
Opcode Fuzzy Hash: 99fa637d3e6a75c7e29f69ed11dfdbf6f8883297c90b339bd5f85921118bc2a2
Instruction Fuzzy Hash: 1A116BB2D08244BFC710DFEC9D45AEE3FAD9B41320F004225F824E7280D270CD0287A0

Function 0097D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0097CFF9,00000000,00000004,00000000), ref: 0097D218
GetLastError.KERNEL32 ref: 0097D224
__dosmaperr.LIBCMT ref: 0097D22B
ResumeThread.KERNEL32(00000000), ref: 0097D249

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b58ce85d7ddbdd98582ab0d09ad46b9b15b6d6f7e7fb233e038ec5770c922d3e
Instruction ID: 9bbf43acd3d4a86107b64c9a481f5509f82ef0305fbde0d892eec4e5e0d71058
Opcode Fuzzy Hash: b58ce85d7ddbdd98582ab0d09ad46b9b15b6d6f7e7fb233e038ec5770c922d3e
Instruction Fuzzy Hash: 7601D27790A204BBCB116BA5DC09BAA7A7DEFC1731F208219F939961D1CB71CD02D7A0

Function 0095600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0095604C
GetStockObject.GDI32(00000011), ref: 00956060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0095606A

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 99e60edbbbf0e5401011627a41601dbcbf599b5e53fdf3df431482e52d3b534c
Instruction ID: 729aedddb413b54829ed949734d4af35b291e59fca8093b782cb665b4a16fa46
Opcode Fuzzy Hash: 99e60edbbbf0e5401011627a41601dbcbf599b5e53fdf3df431482e52d3b534c
Instruction Fuzzy Hash: 3811A1B2101548BFEF128FA6CC44EEA7B6DEF08365F400211FE0456050C7329C61EB90

Function 00973B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00973B56

Part of subcall function 00973AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00973AD2
Part of subcall function 00973AA3: ___AdjustPointer.LIBCMT ref: 00973AED

_UnwindNestedFrames.LIBCMT ref: 00973B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00973B7C
CallCatchBlock.LIBVCRUNTIME ref: 00973BA4

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 628491044ba610e2109a32c5668b4cab715f85cb34c36e5311158e2ee721218a
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: B601D733100149BBDF125E95CC46EEB7B6DEF98754F04C018FE5C66122D732E961ABA1

Function 00983073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009513C6,00000000,00000000,?,0098301A,009513C6,00000000,00000000,00000000,?,0098328B,00000006,FlsSetValue), ref: 009830A5
GetLastError.KERNEL32(?,0098301A,009513C6,00000000,00000000,00000000,?,0098328B,00000006,FlsSetValue,009F2290,FlsSetValue,00000000,00000364,?,00982E46), ref: 009830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0098301A,009513C6,00000000,00000000,00000000,?,0098328B,00000006,FlsSetValue,009F2290,FlsSetValue,00000000), ref: 009830BF

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 2b77088dad0442aeaaa8a5553778bb2c69af27be63378fb8b405800eac5988f7
Instruction ID: beed1331ad1451e0c9708c8820fb9d9e36e157a20195bee243b4f74449cb5d85
Opcode Fuzzy Hash: 2b77088dad0442aeaaa8a5553778bb2c69af27be63378fb8b405800eac5988f7
Instruction Fuzzy Hash: D001D472325222ABCB315EB99C849677B9CAF05F61B108620F955E7340C721DD02D7E0

Function 009B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 009B747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009B7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009B74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009B74CA

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 1b46bd3e7cc335ca6f2681cc09afe734e9509c68e805c34862dfb8421607517d
Instruction ID: 5f5f31bf64f8835baccddbf2ffa86a56383d8b9dcafa09ccabb0a3d38bea5422
Opcode Fuzzy Hash: 1b46bd3e7cc335ca6f2681cc09afe734e9509c68e805c34862dfb8421607517d
Instruction Fuzzy Hash: D411C4B12093149FE7208F94DE48FD2BFFEEB40B11F108A69A656DA1A1E774E904DB50

Function 009BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009BACD3,?,00008000), ref: 009BB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009BACD3,?,00008000), ref: 009BB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009BACD3,?,00008000), ref: 009BB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009BACD3,?,00008000), ref: 009BB126

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c463cb951f6932d12ea673face7fa61f208aaaf6a0808f9f0814c491d20a95c6
Instruction ID: 72310e46f65b998c7bbbe42c78c70eea434033d2e89218204138c38aabc0ebf6
Opcode Fuzzy Hash: c463cb951f6932d12ea673face7fa61f208aaaf6a0808f9f0814c491d20a95c6
Instruction Fuzzy Hash: 5D11A171C0851CEBCF00AFE8DA986FEBB78FF0A320F004085D981B2185CBB449518B51

Function 009B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009B2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 009B2DD6
GetCurrentThreadId.KERNEL32 ref: 009B2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009B2DE4

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: c1b043ba50cf3699f6bc6b63058fd008e1a704be706f1cdb44322fba246ccf37
Instruction ID: a32288f3f73f8be49c9d164bf7ed2b1ed35d152371610bbdb2b6edc29e31917b
Opcode Fuzzy Hash: c1b043ba50cf3699f6bc6b63058fd008e1a704be706f1cdb44322fba246ccf37
Instruction Fuzzy Hash: 37E092B2119224BBDB201B729C4DFEB3E6CEF82FB1F000019F105D90809AA4CC42D6B0

Function 009E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00969639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00969693
Part of subcall function 00969639: SelectObject.GDI32(?,00000000), ref: 009696A2
Part of subcall function 00969639: BeginPath.GDI32(?), ref: 009696B9
Part of subcall function 00969639: SelectObject.GDI32(?,00000000), ref: 009696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 009E8887
LineTo.GDI32(?,?,?), ref: 009E8894
EndPath.GDI32(?), ref: 009E88A4
StrokePath.GDI32(?), ref: 009E88B2

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9a37f1797846867a79a53f2e0720495df0963e74b16527a67cc7111bece9b993
Instruction ID: c8b1a22bb67a95863fe23860e5d426bbcc0c2393417865f1edcfd7313b45dc83
Opcode Fuzzy Hash: 9a37f1797846867a79a53f2e0720495df0963e74b16527a67cc7111bece9b993
Instruction Fuzzy Hash: 4CF03A36049298BADF125F94AC09FDA3A59AF16311F448000FE61690E1C7755952DBA5

Function 009698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009698CC
SetTextColor.GDI32(?,?), ref: 009698D6
SetBkMode.GDI32(?,00000001), ref: 009698E9
GetStockObject.GDI32(00000005), ref: 009698F1

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 79fd30c163d0d0db158808593625751d58bc8a129c90e9a0494e6a6f5e7c235f
Instruction ID: cb09dfde34c2166224d19f8c2e7e3c54e9dbbc423fc614752b70127dc86ce403
Opcode Fuzzy Hash: 79fd30c163d0d0db158808593625751d58bc8a129c90e9a0494e6a6f5e7c235f
Instruction Fuzzy Hash: 1AE06D7125C680AADB215B78EC49BE87F65EB16376F048219F6FA580E1C7714A41AB10

Function 009B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 009B1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009B11D9), ref: 009B163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009B11D9), ref: 009B1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009B11D9), ref: 009B164F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0e66ebd6adc5f1afdc73d30036a2f39d23390a604b0906018358e16400996383
Instruction ID: 888fc0a431934746e7c2cd27899411c1a7684f191595ec9ed793b969a6f84ede
Opcode Fuzzy Hash: 0e66ebd6adc5f1afdc73d30036a2f39d23390a604b0906018358e16400996383
Instruction Fuzzy Hash: 47E08CB2616211EBDB201FA4AE4DB8A3B7CAF447A2F148808F685DD080E7348842DB60

Function 009AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009AD858
GetDC.USER32(00000000), ref: 009AD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009AD882
ReleaseDC.USER32(?), ref: 009AD8A3

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: dec94fbccb04e71d99dd32e1fa1440f43f300be9fafbda4a8ecce92e09464c58
Instruction ID: ed1fefb60134a25c48cadb01a3fd17bb86862546543d2d7f82ee7157cf9f1c6c
Opcode Fuzzy Hash: dec94fbccb04e71d99dd32e1fa1440f43f300be9fafbda4a8ecce92e09464c58
Instruction Fuzzy Hash: 12E01AF4815205DFCF419FA4D84C66EBBB1FB48711F108409E896EB250C7389902AF40

Function 009AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009AD86C
GetDC.USER32(00000000), ref: 009AD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009AD882
ReleaseDC.USER32(?), ref: 009AD8A3

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e60c0b2febff07dc6f22dec4bfb179783c0fcb277592e1135cbc862cd5e934a2
Instruction ID: 8e215421930741161f269299c5f172ec7fd0d9343ed2274da260a44e0bd42530
Opcode Fuzzy Hash: e60c0b2febff07dc6f22dec4bfb179783c0fcb277592e1135cbc862cd5e934a2
Instruction Fuzzy Hash: 74E01AB4C14205DFCF409FA4D84C66EBBB1BB48711B108408E896EB250C7385902AF40

Function 009C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 009C4ED4

Strings

*, xrefs: 009C4E10
LPT, xrefs: 009C4DFB

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 4142e3f622559e3d8ffd9f1e3cf335f080df8a6237d5c1e161352c67822ec18d
Instruction ID: c5e9457bb2ac92d57ce637863435efe6777811501b6b2a0212466f1151f10112
Opcode Fuzzy Hash: 4142e3f622559e3d8ffd9f1e3cf335f080df8a6237d5c1e161352c67822ec18d
Instruction Fuzzy Hash: DB913D75A002049FDB14DF58C494FAABBF5AF48304F19809DE84A9F362D735EE85CB91

Function 0097E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0097E30D

Strings

pow, xrefs: 0097E2E5, 0097E302

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 511e5da17abb6aa975ebae37b8fa448bec536e4ac031ca56c916982ba1bede1d
Instruction ID: a3aab641ff4c49d9db7a3806f1c54d7aa201b637a2cdb74570ae2fbb3602da7e
Opcode Fuzzy Hash: 511e5da17abb6aa975ebae37b8fa448bec536e4ac031ca56c916982ba1bede1d
Instruction Fuzzy Hash: 30512A62A1C20296CB157754C941379BBACAB54740F34CDE8E0DA833FAEB35CC95DB86

Function 0096E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0096E1B1

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: b5ef3e1323eb863ae8a1844a3bf6074321e162939c91b71634323498f9d2f6fe
Instruction ID: 2ff0abde3afc2b615845114ff751a05405c587f33d49f59f36879b1a68f0b613
Opcode Fuzzy Hash: b5ef3e1323eb863ae8a1844a3bf6074321e162939c91b71634323498f9d2f6fe
Instruction Fuzzy Hash: 86515579904246DFDB19DF28C491AFA7BA9EF56310F248059FCA19B2C0DB349D46CBA0

Function 0096F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0096F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0096F2BB

Strings

@, xrefs: 0096F2AF

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cb69eb1693816464186a79678c03873cf1737121f230b71c6001ce427fe586e2
Instruction ID: f56ffa19c20d7afa711a7329b24376494fe11304e2c3e9e9da83ed23fa23a2cb
Opcode Fuzzy Hash: cb69eb1693816464186a79678c03873cf1737121f230b71c6001ce427fe586e2
Instruction Fuzzy Hash: E65115714187489BD320EF51EC86BAFBBE8FBC4301F81885DF5D941195EB70852ACB66

Function 009D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009D57E0
_wcslen.LIBCMT ref: 009D57EC

Strings

CALLARGARRAY, xrefs: 009D57E6, 009D57EB

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 19e76abdeef74f6759a822ed4e3a4f4602ffe3b70a1eef7aeedd528a070567bd
Instruction ID: fd5c88a0414099d9d847cc6d5ee6f8e297df7a60d2b182f8d0d2d774131c90a5
Opcode Fuzzy Hash: 19e76abdeef74f6759a822ed4e3a4f4602ffe3b70a1eef7aeedd528a070567bd
Instruction Fuzzy Hash: C141A175A002059FCB14DFA9C8819BEBBF9FF99324F11806AE505A7361E7349D81DB90

Function 009CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009CD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009CD13A

Strings

|, xrefs: 009CD10B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 12d487df83895102dd1e612601be7724313d6087453ffc2a3adcc457e16aca55
Instruction ID: b9f073067f9d38dbc7587f5fd60aaf6a387005c2c90b9d6a25ca6e5a9c9d3646
Opcode Fuzzy Hash: 12d487df83895102dd1e612601be7724313d6087453ffc2a3adcc457e16aca55
Instruction Fuzzy Hash: 4A311771D01209ABCF15EFA5CC85AEEBBB9FF45300F000029F819A6162D631AA1ACB61

Function 009E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 009E3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009E365C

Strings

static, xrefs: 009E35BC

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3842f3c6c557d8205a1f970d4a3bfaec97fb0fc860ade3a79887c393478f87bc
Instruction ID: 6553cebd5f491692843c0cea567b3accbf8a09e74c562f899a92f1ae9bc57f0c
Opcode Fuzzy Hash: 3842f3c6c557d8205a1f970d4a3bfaec97fb0fc860ade3a79887c393478f87bc
Instruction Fuzzy Hash: D4318D71110244AEDB11DF79DC85FBB73ADFF88724F009619F8A997280DA31AD82D760

Function 009E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 009E461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E4634

Strings

', xrefs: 009E458E

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4fa127f617cc4e3ebdeaeceb5bbfb95d893e27a297613d2a91009268bd5c86dc
Instruction ID: ac86afea76b563b56ec61952cbf7187fb10af415bc867367c9f85695afdfa74b
Opcode Fuzzy Hash: 4fa127f617cc4e3ebdeaeceb5bbfb95d893e27a297613d2a91009268bd5c86dc
Instruction Fuzzy Hash: C9312874A003499FDB15CFAAC980BEA7BB9FF49700F104069E904AB341D770AD41CF90

Function 009E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009E327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E3287

Strings

Combobox, xrefs: 009E3249

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8ab31dbb5db83fc9116765c9676653116c37f58654172cab9b157ac6dbc2b9f7
Instruction ID: 395077bdf2c58fd8a6ca6a2393b468a3a7ad6a02a6215a0c65eaefd5c54c7c04
Opcode Fuzzy Hash: 8ab31dbb5db83fc9116765c9676653116c37f58654172cab9b157ac6dbc2b9f7
Instruction Fuzzy Hash: D311B2713002497FEF229F95DC88EBB37AEEB98364F108524FA6897390D6319D519760

Function 009E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0095600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0095604C
Part of subcall function 0095600E: GetStockObject.GDI32(00000011), ref: 00956060
Part of subcall function 0095600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0095606A

GetWindowRect.USER32(00000000,?), ref: 009E377A
GetSysColor.USER32(00000012), ref: 009E3794

Strings

static, xrefs: 009E3757

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 45ad2474063410ac07bdce558ff659237e0832aece66c0c0e73f0e1f11595621
Instruction ID: 611044b9abed5fc13a649fc36ca3e5ec8625ea99189901aaabdf9d9127fd3855
Opcode Fuzzy Hash: 45ad2474063410ac07bdce558ff659237e0832aece66c0c0e73f0e1f11595621
Instruction Fuzzy Hash: C81129B2610249AFDF11DFA9CC49AEA7BB9FB08314F004924F955E3250D735ED51DB50

Function 009CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009CCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009CCDA6

Strings

<local>, xrefs: 009CCD66

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6cfb259dab83323c467257f45ab5c2f78b70d0fcc05d9eb028dd39770cacdd16
Instruction ID: b18b405aff7934573a57e54ab135003cf8dad2ec58417e5079babf451c367d5e
Opcode Fuzzy Hash: 6cfb259dab83323c467257f45ab5c2f78b70d0fcc05d9eb028dd39770cacdd16
Instruction Fuzzy Hash: 3011E3F1A15632BAD7244A668C84FE3BEACEB127A4F00462AF10E820C0D2749941D6F1

Function 009E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009E34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009E34BA

Strings

edit, xrefs: 009E348F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1dec3a445bf3c5e1fa97be21cd9a7701d426984e5dfdc5192a06e48b0b66c302
Instruction ID: 553ccc1a9e61df189ac64102f4e1430fb67896f915efc5253872f41be525672a
Opcode Fuzzy Hash: 1dec3a445bf3c5e1fa97be21cd9a7701d426984e5dfdc5192a06e48b0b66c302
Instruction Fuzzy Hash: 2411BF71100188ABEB138F66DC88ABB376EEB45378F508724F960971E0D731DD529B50

Function 009B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

CharUpperBuffW.USER32(?,?,?), ref: 009B6CB6
_wcslen.LIBCMT ref: 009B6CC2

Strings

STOP, xrefs: 009B6CBC, 009B6CC1

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: c5d160296b85063264286ffd917d17ee75edbac33fa974368a353415f6e770f9
Instruction ID: 4471ca93947b4dcaaa0632415b5cd0474e99daccae72971d9400b77e2d230ec3
Opcode Fuzzy Hash: c5d160296b85063264286ffd917d17ee75edbac33fa974368a353415f6e770f9
Instruction Fuzzy Hash: EA012632A005278BCB209FBDCD919FF37B9EBA0B207000924E99297191EB39FC04C750

Function 009B1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009B1D4C

Strings

ListBox, xrefs: 009B1D16
ComboBox, xrefs: 009B1CEB

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c03400530f478309b4d45b98d0c197ee779b29806fe43cfa657196d944e799a2
Instruction ID: c113419485ee70e72a3acd9c34a9d84da434dd2b9488f679d6d4d2cbb825378d
Opcode Fuzzy Hash: c03400530f478309b4d45b98d0c197ee779b29806fe43cfa657196d944e799a2
Instruction Fuzzy Hash: 54012875604218EB9B08EBA0CE61DFE77A8FBC2360B500D09FC62572C1EA30590C8760

Function 009B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 009B1C46

Strings

ListBox, xrefs: 009B1C10
ComboBox, xrefs: 009B1BE5

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f8912dd4242ce5804d73e28f1c7280e2b62b781cd7b9d66fd13439eea8043d7d
Instruction ID: 965dbdd2279302c1216c1afa7e1d1cedabb2c868c0e0149f351d0fb054014a80
Opcode Fuzzy Hash: f8912dd4242ce5804d73e28f1c7280e2b62b781cd7b9d66fd13439eea8043d7d
Instruction Fuzzy Hash: C201AC75A45108A6DB04E7A0CB63AFF7BAC9B51350F540415AD8667182EA249E0C8771

Function 009B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 009B1CC8

Strings

ListBox, xrefs: 009B1C94
ComboBox, xrefs: 009B1C69

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f3a84907035a98ad77284f15702afe07cb95032b649382ee571b18487ddea903
Instruction ID: 5552ee386638ae87b25d163c04dc154f8de8fbee685272faa0df7e8e0107c633
Opcode Fuzzy Hash: f3a84907035a98ad77284f15702afe07cb95032b649382ee571b18487ddea903
Instruction Fuzzy Hash: 1D01D6B5A80118A7DB04EBA5CB11BFF7BACAB51350FA40415BC8673282EA209F0CC771

Function 009D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009D7493
_wcslen.LIBCMT ref: 009D74B9

Strings

3, 3, 16, 1, xrefs: 009D7483

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 8f71418e76299ea4a0afc8d9e9092c24f3f1802c2004b3c4af397f72d6ce3358
Instruction ID: 06780e3fd8a32412ffe5b629a0b5153cab9ac44a74d11c15ddc466514c6bc780
Opcode Fuzzy Hash: 8f71418e76299ea4a0afc8d9e9092c24f3f1802c2004b3c4af397f72d6ce3358
Instruction Fuzzy Hash: 50E02B0324422061923212BA9CC1B7F968EDFC5B90710982BFA89C6377FB948D9193A1

Function 009B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009B0B23

Strings

Error allocating memory., xrefs: 009B0B1C
AutoIt, xrefs: 009B0B17

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: b4d3a5ae64be6bf9367b71520a71a9d15ffb7080609d2d12f0eb2bdf5725b314
Instruction ID: 5f475c420bdfa40f318bb72f7b6b29b74974a675feb66cb70c36146facfc366a
Opcode Fuzzy Hash: b4d3a5ae64be6bf9367b71520a71a9d15ffb7080609d2d12f0eb2bdf5725b314
Instruction Fuzzy Hash: F4E0D83228435876D21536557C03FC97F889F49B25F100426FBD8954C38BE22C9006A9

Function 00970D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0096F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00970D71,?,?,?,0095100A), ref: 0096F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0095100A), ref: 00970D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0095100A), ref: 00970D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00970D7F

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: fac1e2f048bff15a1fb532641566993627a4d69084102028e4366f1129e7124b
Instruction ID: 2fb3bb54c8bf0085f2663124a78c29b9dca8ba2da6ce5008f3e933d622f288ba
Opcode Fuzzy Hash: fac1e2f048bff15a1fb532641566993627a4d69084102028e4366f1129e7124b
Instruction Fuzzy Hash: 10E06DB02003818FD370DFB9E4543567BE4AB90744F00892DE896CA795DBB0E8498B91

Function 009AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009AD220

Strings

X64, xrefs: 009AD2A8
%.3d, xrefs: 009AD22B

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 5d768f07013083dab2fb97d0fd107f3c28879b3eec6597bc8fee3b7314ba3f24
Instruction ID: 58b8409b6545d0fb8777b12b61b91123d1d8cd8b14d0e9d5b2d113a0e96d0514
Opcode Fuzzy Hash: 5d768f07013083dab2fb97d0fd107f3c28879b3eec6597bc8fee3b7314ba3f24
Instruction Fuzzy Hash: B7D062A1C0A119E9CB5096E0DC45AF9B37CBB59341F548C52FD27A1440D62CD549E7A1

Function 009E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009E233F

Part of subcall function 009BE97B: Sleep.KERNEL32 ref: 009BE9F3

Strings

Shell_TrayWnd, xrefs: 009E2325

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 62ca99f1b51759a5515e2e0a59d109ebda24a6fb1b9f5d8e5ac3a40423308cca
Instruction ID: d972308c61d83a98b3f05bdc74814183c3b54e77bc31d7d919fdcca3d1930626
Opcode Fuzzy Hash: 62ca99f1b51759a5515e2e0a59d109ebda24a6fb1b9f5d8e5ac3a40423308cca
Instruction Fuzzy Hash: 0BD0C9763A9350BAE664A7709C4FFC66A18AB40B10F0049167685AA1D0C9A0A8469A58

Function 009E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E236C
PostMessageW.USER32(00000000), ref: 009E2373

Part of subcall function 009BE97B: Sleep.KERNEL32 ref: 009BE9F3

Strings

Shell_TrayWnd, xrefs: 009E2365

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b5ec0fc71cbb7598a3ab7ea69b4bf8b83c0bb3dd1698933d1c8d79f8f57f2e49
Instruction ID: 90194114ca1b8cf8222e7e26588b072fe60efd11a6bab25fe275262c82ab27f1
Opcode Fuzzy Hash: b5ec0fc71cbb7598a3ab7ea69b4bf8b83c0bb3dd1698933d1c8d79f8f57f2e49
Instruction Fuzzy Hash: 24D0C976399350BAE664A7709C4FFC66618AB44B10F0049167685EA1D0C9A0B8469A58

Function 0098BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0098BE93
GetLastError.KERNEL32 ref: 0098BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0098BEFC

Memory Dump Source

Source File: 00000000.00000002.2557627279.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.2557612750.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557676441.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557714092.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2557728233.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_Offer 2024-30496.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c5386a66d3fe63636a33d7ac08e38e65e3e233f0bdc6174cafc5987c655b227e
Instruction ID: 9205bb88d067005f7541fa2f08e8408e2340ce833d6fb54e42d153ab38cff728
Opcode Fuzzy Hash: c5386a66d3fe63636a33d7ac08e38e65e3e233f0bdc6174cafc5987c655b227e
Instruction Fuzzy Hash: 1141E935604206AFCF21BF65CC54BBA7BA9EF42710F284169FA599B3A2DB309D01DB50

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Offer 2024-30496.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Hezron

C:\Users\user\AppData\Local\Temp\aut7867.tmp

C:\Users\user\AppData\Local\Temp\aut78D6.tmp

C:\Users\user\AppData\Local\Temp\preinhered

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
Offer 2024-30496.exe

Function 009542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 009542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00992BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00952CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0099065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0095344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00952B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00953170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00988D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 00BD25B0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00952C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00BD23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
fileCOMMON

Function 009C2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00953B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre